BugTraq
[ MDVSA-2013:037 ] fetchmail Apr 05 2013 01:26PM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:037
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : fetchmail
Date : April 5, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in fetchmail:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

This advisory provides the latest version of fetchmail (6.3.22)
which is not vulnerable to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
c30dacec397667ad6058f3800f3aca2c mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm
bed6bf2974ebcb9ac9c8f5e2c2ee310b mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm
1750ed3c0d237c7ac4fcf6b98a7b1b21 mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm
dbd678a792ee058801ec35c7f99096a4 mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRXqbdmqjQ0CJFipgRAogSAJ9P6bArt4G6h+nJ1sHhiZU+ek34IACeNNI7
lBFyD6n3zwBDXPHiHKCUh0Q=
=4YuR
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus