imapsync default version check with information leakage

imapsync http://imapsync.lamiral.info/

Title: imapsync default version check with
http://imapsync.lamiral.info information leakage (CVE-2013-4279)

Threat: Availability: no timeout so an attacker simply sends a slow
response
Threat: Confidentiality: connects to http://imapsync.lamiral.info and
sends version # and operating system name and person version

Impact: Moderate (Medium)
CVSS2: 6.4/AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected: imapsync version 1.580 and earlier

Description: By default imapsync runs a "release check" when executed,
this causes imapsync to connect to http://imapsync.lamiral.info and
send information about the version of imapsync, the operating system
and perl.

This feature is not well documented. It is enabled by default. The
only hint it exists is the "--noreleasecheck" which is not documented
anywhere other then running the program with the help option.

Affected code:

sub imapsync_version_public {
    my $local_version = imapsync_version();
        my $imapsync_basename = imapsync_basename();
    my $agent_info = "$OSNAME system, perl "
                . sprintf("%vd", $PERL_VERSION)
        . ", Mail::IMAPClient $Mail::IMAPClient::VERSION"
        . " $imapsync_basename";
    my $sock = IO::Socket::INET->new(
        PeerAddr => 'imapsync.lamiral.info',
        PeerPort => '80',
                Proto => 'tcp'
        ) ;
        return( 'unknown' ) if not $sock ;
    print $sock
        "GET /prj/imapsync/VERSION HTTP/1.0\n",
        "User-Agent: imapsync/$local_version ($agent_info)\n",
        "Host: ks.lamiral.info\n\n";
    my @line = <$sock>;
    close($sock);
        my $last_release = $line[-1];
    chomp($last_release);
    return($last_release);
}

Suggested solution:

1) $releasecheck should be changed to default to 0 (False) and convert
- --noreleasecheck to --releasecheck
2) this feature should use HTTPS to prevent information leakage to
attackers
3) or disable this feature entirely

Workaround:

Make sure you also use --noreleasecheck when running imapsync (maybe
alias the full command?).

Timeline:

2013-Aug-22: notified upstream vendor at gilles.lamiral () laposte net
2014-Jan-16: public release (what can I say, I got busy).

External links:
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1000215

I can also handle notifying all the other vendors no problem via
distros@ list.