CVE-2010-1194

NameCVE-2010-1194
DescriptionThe match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs311191

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libesmtp (PTS)jessie1.0.6-4fixed
stretch1.0.6-4.2fixed
buster, bullseye1.0.6-4.3fixed
bookworm1.1.0-3.1~deb12u1fixed
sid, trixie1.1.0-3.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libesmtpsource(unstable)1.0.4-2311191
Search for package or bug name: Reporting problems