To: [email protected]Subject: [ MDVSA-2009:201 ] fetchmail
Date: Wed, 12 Aug 2009 22:16:01 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1MbKEr-00089s-MQ@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:201
http://www.mandriva.com/security/
_______________________________________________________________________
Package : fetchmail
Date : August 12, 2009
Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
character in a domain name in the subject's Common Name (CN) field
of an X.509 certificate, which allows man-in-the-middle attackers
to spoof arbitrary SSL servers via a crafted certificate issued by a
legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-2666).
This update provides a solution to this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.1:
fc0d6023667f27d8af4b3a016f3f45c3 2008.1/i586/fetchmail-6.3.8-7.2mdv2008.1.i586.rpm
283af95440b29e164c0e067ab8cda9f6 2008.1/i586/fetchmailconf-6.3.8-7.2mdv2008.1.i586.rpm
9a57ee9d58bbb701721386850835e3cd 2008.1/i586/fetchmail-daemon-6.3.8-7.2mdv2008.1.i586.rpm
ae283a656063b3775dea3bba3fcd2e2e 2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
1a0e79540df37a5f9efa0bec42c62805 2008.1/x86_64/fetchmail-6.3.8-7.2mdv2008.1.x86_64.rpm
332ff34caeb4587367564b6b330bc6e4 2008.1/x86_64/fetchmailconf-6.3.8-7.2mdv2008.1.x86_64.rpm
5bffe9a0d2da5df6d23b6a17af1296b1 2008.1/x86_64/fetchmail-daemon-6.3.8-7.2mdv2008.1.x86_64.rpm
ae283a656063b3775dea3bba3fcd2e2e 2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm
Mandriva Linux 2009.0:
0e428279bf334dfe85c63ed25d8b3107 2009.0/i586/fetchmail-6.3.8-8.1mdv2009.0.i586.rpm
934c48761c1f7c9346ef6b77b809373c 2009.0/i586/fetchmailconf-6.3.8-8.1mdv2009.0.i586.rpm
702cecfcb0a901d8be9efd41d1c72093 2009.0/i586/fetchmail-daemon-6.3.8-8.1mdv2009.0.i586.rpm
3815db62ac4fed4c0dfdd62d7f55faad 2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
4bf00d7233d33c3fc5b796a46b759f43 2009.0/x86_64/fetchmail-6.3.8-8.1mdv2009.0.x86_64.rpm
44ac784cb13d21d5aeb1fe6bc18d4314 2009.0/x86_64/fetchmailconf-6.3.8-8.1mdv2009.0.x86_64.rpm
5dc1208126ed2eecccafb8ee766c4b34 2009.0/x86_64/fetchmail-daemon-6.3.8-8.1mdv2009.0.x86_64.rpm
3815db62ac4fed4c0dfdd62d7f55faad 2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
c29b9d8ed2c1f389ea0e7b14d9112e40 2009.1/i586/fetchmail-6.3.9-1.1mdv2009.1.i586.rpm
fe9c24396112b32f190e72e1ecbcb616 2009.1/i586/fetchmailconf-6.3.9-1.1mdv2009.1.i586.rpm
878a6e3369a1bd540ace6a646e343e2b 2009.1/i586/fetchmail-daemon-6.3.9-1.1mdv2009.1.i586.rpm
f976873519ff6ce77d58814988e589c7 2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
9d466fd1c5e560b04de4cfa17a0555e7 2009.1/x86_64/fetchmail-6.3.9-1.1mdv2009.1.x86_64.rpm
32044f61f34ebe3c85c562820d079fb6 2009.1/x86_64/fetchmailconf-6.3.9-1.1mdv2009.1.x86_64.rpm
9c39d74650b99cddaee5bf2963efa5b4 2009.1/x86_64/fetchmail-daemon-6.3.9-1.1mdv2009.1.x86_64.rpm
f976873519ff6ce77d58814988e589c7 2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm
Corporate 3.0:
81c21054df257729342c1c2482b49561 corporate/3.0/i586/fetchmail-6.2.5-3.8.C30mdk.i586.rpm
175c8bbbe91f06e139d919350809c3eb corporate/3.0/i586/fetchmailconf-6.2.5-3.8.C30mdk.i586.rpm
fb333b7523f82e0be6883edeb1969373 corporate/3.0/i586/fetchmail-daemon-6.2.5-3.8.C30mdk.i586.rpm
d23b19850a57b6ce9bc784a3eea14719 corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm
Corporate 3.0/X86_64:
10b10cdd7d5aa881a0b5e84c4590500d corporate/3.0/x86_64/fetchmail-6.2.5-3.8.C30mdk.x86_64.rpm
ce8d21859e640639b8ff20e15dd8ab41 corporate/3.0/x86_64/fetchmailconf-6.2.5-3.8.C30mdk.x86_64.rpm
0a05886e002ea8af4718df2d55b5d21d corporate/3.0/x86_64/fetchmail-daemon-6.2.5-3.8.C30mdk.x86_64.rpm
d23b19850a57b6ce9bc784a3eea14719 corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm
Corporate 4.0:
314fbbd74754d1793da2dc3945d2def4 corporate/4.0/i586/fetchmail-6.2.5-11.7.20060mlcs4.i586.rpm
0467a3805fe33b3b65ba3ab87c08f08d corporate/4.0/i586/fetchmailconf-6.2.5-11.7.20060mlcs4.i586.rpm
4ae72f7fef6a9f3f0d471b30148a1343 corporate/4.0/i586/fetchmail-daemon-6.2.5-11.7.20060mlcs4.i586.rpm
c312a60acc88462068cc009b0a64202d corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
4efd52fa2292696aff7558b9960d6818 corporate/4.0/x86_64/fetchmail-6.2.5-11.7.20060mlcs4.x86_64.rpm
63d83fbb6bc4f03312f4281570e9a996 corporate/4.0/x86_64/fetchmailconf-6.2.5-11.7.20060mlcs4.x86_64.rpm
5c59ca83d15643903845fc0cffb50cb4 corporate/4.0/x86_64/fetchmail-daemon-6.2.5-11.7.20060mlcs4.x86_64.rpm
c312a60acc88462068cc009b0a64202d corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
a123563848bc2978fcedef3b56217b93 mes5/i586/fetchmail-6.3.8-8.1mdvmes5.i586.rpm
721e88658496bddda0d866f22f2236c6 mes5/i586/fetchmailconf-6.3.8-8.1mdvmes5.i586.rpm
2874c2452d7c91d32145c017dfd0accf mes5/i586/fetchmail-daemon-6.3.8-8.1mdvmes5.i586.rpm
bae980a9b813587c551389692134dcff mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
d509376c094787132d2e80349f0b8077 mes5/x86_64/fetchmail-6.3.8-8.1mdvmes5.x86_64.rpm
b4fda79b6b9e5f517b5866ddab15daa9 mes5/x86_64/fetchmailconf-6.3.8-8.1mdvmes5.x86_64.rpm
a3394da93cbfc359ed9bfccf20cc50e1 mes5/x86_64/fetchmail-daemon-6.3.8-8.1mdvmes5.x86_64.rpm
bae980a9b813587c551389692134dcff mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKgvT0mqjQ0CJFipgRAp3tAJ9GOtB4s6Kh2+U5YzMLe9qWarQMEgCfSQwv
xKk5VxxrjYRfmbkZYaBGSd8=
=oais
-----END PGP SIGNATURE-----
