lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MbKEr-00089w-RK@titan.mandriva.com>
Date: Wed, 12 Aug 2009 22:16:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:201 ] fetchmail


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:201
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : fetchmail
 Date    : August 12, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0,
           Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in fetchmail:
 
 socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
 character in a domain name in the subject's Common Name (CN) field
 of an X.509 certificate, which allows man-in-the-middle attackers
 to spoof arbitrary SSL servers via a crafted certificate issued by a
 legitimate Certification Authority, a related issue to CVE-2009-2408
 (CVE-2009-2666).
 
 This update provides a solution to this vulnerability.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 fc0d6023667f27d8af4b3a016f3f45c3  2008.1/i586/fetchmail-6.3.8-7.2mdv2008.1.i586.rpm
 283af95440b29e164c0e067ab8cda9f6  2008.1/i586/fetchmailconf-6.3.8-7.2mdv2008.1.i586.rpm
 9a57ee9d58bbb701721386850835e3cd  2008.1/i586/fetchmail-daemon-6.3.8-7.2mdv2008.1.i586.rpm 
 ae283a656063b3775dea3bba3fcd2e2e  2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 1a0e79540df37a5f9efa0bec42c62805  2008.1/x86_64/fetchmail-6.3.8-7.2mdv2008.1.x86_64.rpm
 332ff34caeb4587367564b6b330bc6e4  2008.1/x86_64/fetchmailconf-6.3.8-7.2mdv2008.1.x86_64.rpm
 5bffe9a0d2da5df6d23b6a17af1296b1  2008.1/x86_64/fetchmail-daemon-6.3.8-7.2mdv2008.1.x86_64.rpm 
 ae283a656063b3775dea3bba3fcd2e2e  2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 0e428279bf334dfe85c63ed25d8b3107  2009.0/i586/fetchmail-6.3.8-8.1mdv2009.0.i586.rpm
 934c48761c1f7c9346ef6b77b809373c  2009.0/i586/fetchmailconf-6.3.8-8.1mdv2009.0.i586.rpm
 702cecfcb0a901d8be9efd41d1c72093  2009.0/i586/fetchmail-daemon-6.3.8-8.1mdv2009.0.i586.rpm 
 3815db62ac4fed4c0dfdd62d7f55faad  2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 4bf00d7233d33c3fc5b796a46b759f43  2009.0/x86_64/fetchmail-6.3.8-8.1mdv2009.0.x86_64.rpm
 44ac784cb13d21d5aeb1fe6bc18d4314  2009.0/x86_64/fetchmailconf-6.3.8-8.1mdv2009.0.x86_64.rpm
 5dc1208126ed2eecccafb8ee766c4b34  2009.0/x86_64/fetchmail-daemon-6.3.8-8.1mdv2009.0.x86_64.rpm 
 3815db62ac4fed4c0dfdd62d7f55faad  2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 c29b9d8ed2c1f389ea0e7b14d9112e40  2009.1/i586/fetchmail-6.3.9-1.1mdv2009.1.i586.rpm
 fe9c24396112b32f190e72e1ecbcb616  2009.1/i586/fetchmailconf-6.3.9-1.1mdv2009.1.i586.rpm
 878a6e3369a1bd540ace6a646e343e2b  2009.1/i586/fetchmail-daemon-6.3.9-1.1mdv2009.1.i586.rpm 
 f976873519ff6ce77d58814988e589c7  2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 9d466fd1c5e560b04de4cfa17a0555e7  2009.1/x86_64/fetchmail-6.3.9-1.1mdv2009.1.x86_64.rpm
 32044f61f34ebe3c85c562820d079fb6  2009.1/x86_64/fetchmailconf-6.3.9-1.1mdv2009.1.x86_64.rpm
 9c39d74650b99cddaee5bf2963efa5b4  2009.1/x86_64/fetchmail-daemon-6.3.9-1.1mdv2009.1.x86_64.rpm 
 f976873519ff6ce77d58814988e589c7  2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm

 Corporate 3.0:
 81c21054df257729342c1c2482b49561  corporate/3.0/i586/fetchmail-6.2.5-3.8.C30mdk.i586.rpm
 175c8bbbe91f06e139d919350809c3eb  corporate/3.0/i586/fetchmailconf-6.2.5-3.8.C30mdk.i586.rpm
 fb333b7523f82e0be6883edeb1969373  corporate/3.0/i586/fetchmail-daemon-6.2.5-3.8.C30mdk.i586.rpm 
 d23b19850a57b6ce9bc784a3eea14719  corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 10b10cdd7d5aa881a0b5e84c4590500d  corporate/3.0/x86_64/fetchmail-6.2.5-3.8.C30mdk.x86_64.rpm
 ce8d21859e640639b8ff20e15dd8ab41  corporate/3.0/x86_64/fetchmailconf-6.2.5-3.8.C30mdk.x86_64.rpm
 0a05886e002ea8af4718df2d55b5d21d  corporate/3.0/x86_64/fetchmail-daemon-6.2.5-3.8.C30mdk.x86_64.rpm 
 d23b19850a57b6ce9bc784a3eea14719  corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm

 Corporate 4.0:
 314fbbd74754d1793da2dc3945d2def4  corporate/4.0/i586/fetchmail-6.2.5-11.7.20060mlcs4.i586.rpm
 0467a3805fe33b3b65ba3ab87c08f08d  corporate/4.0/i586/fetchmailconf-6.2.5-11.7.20060mlcs4.i586.rpm
 4ae72f7fef6a9f3f0d471b30148a1343  corporate/4.0/i586/fetchmail-daemon-6.2.5-11.7.20060mlcs4.i586.rpm 
 c312a60acc88462068cc009b0a64202d  corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 4efd52fa2292696aff7558b9960d6818  corporate/4.0/x86_64/fetchmail-6.2.5-11.7.20060mlcs4.x86_64.rpm
 63d83fbb6bc4f03312f4281570e9a996  corporate/4.0/x86_64/fetchmailconf-6.2.5-11.7.20060mlcs4.x86_64.rpm
 5c59ca83d15643903845fc0cffb50cb4  corporate/4.0/x86_64/fetchmail-daemon-6.2.5-11.7.20060mlcs4.x86_64.rpm 
 c312a60acc88462068cc009b0a64202d  corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 a123563848bc2978fcedef3b56217b93  mes5/i586/fetchmail-6.3.8-8.1mdvmes5.i586.rpm
 721e88658496bddda0d866f22f2236c6  mes5/i586/fetchmailconf-6.3.8-8.1mdvmes5.i586.rpm
 2874c2452d7c91d32145c017dfd0accf  mes5/i586/fetchmail-daemon-6.3.8-8.1mdvmes5.i586.rpm 
 bae980a9b813587c551389692134dcff  mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 d509376c094787132d2e80349f0b8077  mes5/x86_64/fetchmail-6.3.8-8.1mdvmes5.x86_64.rpm
 b4fda79b6b9e5f517b5866ddab15daa9  mes5/x86_64/fetchmailconf-6.3.8-8.1mdvmes5.x86_64.rpm
 a3394da93cbfc359ed9bfccf20cc50e1  mes5/x86_64/fetchmail-daemon-6.3.8-8.1mdvmes5.x86_64.rpm 
 bae980a9b813587c551389692134dcff  mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKgvT0mqjQ0CJFipgRAp3tAJ9GOtB4s6Kh2+U5YzMLe9qWarQMEgCfSQwv
xKk5VxxrjYRfmbkZYaBGSd8=
=oais
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ