Jeff King <> writes:

> On Sun, Feb 24, 2013 at 07:46:51PM +0100, Andreas Ericsson wrote:
>> The lack of certificate authority verification presents no attack vector
>> for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll
>> be credited with a "reported-by" line in the commit message if someone
>> decides to fix it though. Personally, I'm not fussed.
> Sure it presents an attack vector. I can man-in-the-middle your
> imap-send client and read your otherwise secret patches. Or your
> otherwise secret imap password.

Yes, the lack of verification alone will not hurt the victim; you
would need to also be able to insert yourself in the middle, perhaps
by poisoning the victim's DNS.  But one of the points of using
SSL/TLS is to resist such an attack, and it certainly is an attack
surfce, even though it may be of a lessor kind than other kinds of

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to
More majordomo info at

Reply via email to