| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <E1UO6eW-0004ij-FR@titan.mandriva.com> Date: Fri, 05 Apr 2013 15:26:00 +0200 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2013:037 ] fetchmail -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:037 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : fetchmail Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in fetchmail: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case (aka a BEAST attack) (CVE-2011-3389). A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash (CVE-2012-3482). This advisory provides the latest version of fetchmail (6.3.22) which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482 http://www.fetchmail.info/fetchmail-SA-2012-01.txt http://www.fetchmail.info/fetchmail-SA-2012-02.txt _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: c30dacec397667ad6058f3800f3aca2c mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm bed6bf2974ebcb9ac9c8f5e2c2ee310b mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm 1750ed3c0d237c7ac4fcf6b98a7b1b21 mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm dbd678a792ee058801ec35c7f99096a4 mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRXqbdmqjQ0CJFipgRAogSAJ9P6bArt4G6h+nJ1sHhiZU+ek34IACeNNI7 lBFyD6n3zwBDXPHiHKCUh0Q= =4YuR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists