lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon Nov  7 22:26:36 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-215-1] fetchmailconf vulnerability

===========================================================
Ubuntu Security Notice USN-215-1	  November 07, 2005
fetchmail vulnerability
CVE-2005-3088
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

fetchmailconf

The problem can be corrected by upgrading the affected package to
version 6.2.5-8ubuntu2.2 (for Ubuntu 4.10), 6.2.5-12ubuntu1.2 (for
Ubuntu 5.04), or 6.2.5-13ubuntu3.1 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. The output configuration file was initially
created with insecure permissions, and secure permissions were applied
after writing the configuration into the file. During this time, the
file was world readable on a standard system (unless the user manually
tightened his umask setting), which could expose email passwords to
local users.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2.diff.gz
      Size/MD5:   136476 6065936c288a0b5ce3e241fc3cf98e29
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2.dsc
      Size/MD5:      639 c711ee2923a6a4f31ed4fe684890061c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-8ubuntu2.2_all.deb
      Size/MD5:   101584 5c4d3bd84b6a6f404dbb54cc0be4cbd6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_amd64.deb
      Size/MD5:   555668 9a1de14c3323d91e24ec1108e05d6a99

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_i386.deb
      Size/MD5:   546280 7472cd0c9bfd7720a35af726865d23d3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_powerpc.deb
      Size/MD5:   556084 58ea16a77d08f2fbd721ecdae122539a

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2.diff.gz
      Size/MD5:   150532 5407f7b7f814dbcb9d0c6c28d01f70f8
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2.dsc
      Size/MD5:      656 f1a4cab136fc5d2455d5ddec6dfb3e2a
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-12ubuntu1.2_all.deb
      Size/MD5:    42350 90a3bb16d09d454321014010b4e6b4da
    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-12ubuntu1.2_all.deb
      Size/MD5:   101404 36148260f291326228eaff1185b7133c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_amd64.deb
      Size/MD5:   296894 501b55647d5a7b527d1b11fa8454d7ed

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_i386.deb
      Size/MD5:   286176 5e35d166c8a76ba3b20af6d33a2f5dd4

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_powerpc.deb
      Size/MD5:   296206 c4c08a4fef2ccb91dd92407f9d714f83

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1.diff.gz
      Size/MD5:   130825 fc5ccdf6aaa875444f0852a62751f394
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1.dsc
      Size/MD5:      830 4374876640b93de50c1ab3260ea57e46
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-13ubuntu3.1_all.deb
      Size/MD5:    42852 da929363e6e3801da2801f32f0c6a2be
    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-13ubuntu3.1_all.deb
      Size/MD5:   101896 492477d857965f8d407b7c08de72380e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_amd64.deb
      Size/MD5:   299390 da9c9b6ee9b0e2bb066e5b192a712e36

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_i386.deb
      Size/MD5:   286168 a9dc5d11bd82299bf2ed67698bf54ca3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_powerpc.deb
      Size/MD5:   297094 b5a21f405eb3aa4f0cc94f5f7280710e
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051107/57869b5c/attachment.bin

Powered by blists - more mailing lists