lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070926021513.GV22678@outflux.net>
Date: Tue, 25 Sep 2007 19:15:13 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-520-1] fetchmail vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-520-1         September 26, 2007
fetchmail vulnerabilities
CVE-2007-1558, CVE-2007-4565
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  fetchmail                       6.3.2-2ubuntu2.2

Ubuntu 6.10:
  fetchmail                       6.3.4-1ubuntu4.2

Ubuntu 7.04:
  fetchmail                       6.3.6-1ubuntu2.1

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Gaetan Leurent discovered a vulnerability in the APOP protocol based
on MD5 collisions. As fetchmail supports the APOP protocol, this
vulnerability can be used by attackers to discover a portion of the APOP
user's authentication credentials. (CVE-2007-1558)

Earl Chew discovered that fetchmail can be made to de-reference a NULL
pointer when contacting SMTP servers. This vulnerability can be used
by attackers who control the SMTP server to crash fetchmail and cause
a denial of service. (CVE-2007-4565)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2.diff.gz
      Size/MD5:   190508 b6f34c90edfb5be3fa625572e440d46f
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2.dsc
      Size/MD5:      766 b0ee07dc6149dff8fcabf8e3806fb14c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
      Size/MD5:  1522264 a661735496077232acedb82a901fa499

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.2_all.deb
      Size/MD5:   114918 183fcecaabaa9fd0dc78f5fa0cf66899

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_amd64.deb
      Size/MD5:   346852 0562c7d3159da530a247492eb4c83c17

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_i386.deb
      Size/MD5:   333422 1d96517ee7118ddb6c154b42f20282c3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_powerpc.deb
      Size/MD5:   345546 1ab1bc976af5e02880ccfeb277a1e3ab

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_sparc.deb
      Size/MD5:   339632 5eae85ff0d41ca36030c985d828cc1b9

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2.diff.gz
      Size/MD5:    54883 9f96afa7114c4ff7d83d52ddff3a7734
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2.dsc
      Size/MD5:      765 5896f0d44a778f5aa234e5645fde1d1c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4.orig.tar.gz
      Size/MD5:  1313880 023a27d8281e5362323dec3e1ccca1c8

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.4-1ubuntu4.2_all.deb
      Size/MD5:    60460 60c7b0de630485e35a5ab49c14ab5dc3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_amd64.deb
      Size/MD5:   350904 da444d4475fae7453552a5112124912d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_i386.deb
      Size/MD5:   341816 5367a81a858f9c590c4a4947f1a45983

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_powerpc.deb
      Size/MD5:   350320 d82081bf97a28bc745a5342cfba46988

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_sparc.deb
      Size/MD5:   345394 745ec98c5d2dec4bf6d630650798e92a

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1.diff.gz
      Size/MD5:    56402 05af2c1bb84df24da58935e51d7b6002
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1.dsc
      Size/MD5:      966 8dee518a1b9c90ff5bd5f3eb6a007c1d
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
      Size/MD5:  1680200 04175459cdf32fdb10d9e8fc46b633c3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.6-1ubuntu2.1_all.deb
      Size/MD5:    63826 dd31c4c75cd18947cc49ae649ac8717f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_amd64.deb
      Size/MD5:   376182 19d7655fafa90d200b5defae11de58ac

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_i386.deb
      Size/MD5:   365590 a54d1d43f960ae118a4dee6b3aba4a42

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_powerpc.deb
      Size/MD5:   377260 eb1373f300d8ea78b944bb788d9ca6dd

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_sparc.deb
      Size/MD5:   370316 9211fd7fb44b2f3d620958b42d3ddaf7


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ