{"id":"MGASA-2013-0296","summary":"Updated ssmtp package fixes security vulnerability","details":"It was reported that ssmtp, an extremely simple MTA to get mail off the system\nto a mail hub, did not perform x509 certificate validation when initiating a\nTLS connection to server. A rogue server could use this flaw to conduct man-in-\nthe-middle attack, possibly leading to user credentials leak.\n\nAs a result, alterations may be required to the configuration if using TLS.\nThe default ssmtp.conf now contains the lines below to load root certificates\nwhich should be created as ssmtp.conf.rpmnew if it has been altered.\n\n#IMPORTANT: Uncomment the following line if you use TLS authentication\n#TLS_CA_File=/etc/pki/tls/certs/ca-bundle.crt\n","modified":"2026-04-16T04:29:23.345345Z","published":"2013-10-09T22:27:52Z","references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2013-0296.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=11148"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114906.html"}],"affected":[{"package":{"name":"ssmtp","ecosystem":"Mageia:2","purl":"pkg:rpm/mageia/ssmtp?arch=source&distro=mageia-2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.64-5.3.mga2"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0296.json"}},{"package":{"name":"ssmtp","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/ssmtp?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.64-8.3.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2013-0296.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}