MDKSA-2005:209 - Updated fetchmail packages fixes fetchmailconf vulnerability
Posted on: 11/10/2005 04:12 AM

The Mandriva Security Team published a new security update: MDKSA-2005:209 - Updated fetchmail packages fixes fetchmailconf vulnerability for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2005:209
http://www.mandriva.com/security/
_______________________________________________________________________

Package : fetchmail
Date : November 9, 2005
Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
_______________________________________________________________________

Problem Description:

Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. fetchmailconf would create the initial output
configuration file with insecure permissions and only after writing
would it change permissions to be more restrictive. During that time,
passwords and other data could be exposed to other users on the system
unless the user used a more restrictive umask setting.

As well, the Mandriva Linux 2006 packages did not contain the patch
that corrected the issues fixed in MDKSA-2005:126, namely a buffer
overflow in fetchmail's POP3 client (CAN-2005-2355).

The updated packages have been patched to address this issue, and the
Mandriva 2006 packages have also been patched to correct CAN-2005-2355.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2355
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.1:
de0b7fb59640e490441fe4a48d11954d 10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.i586.rpm
84c6cb9619cb5b4ef74ade674845f51e 10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.i586.rpm
1f0b8136bcd4caeae75542ff54d78371 10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.i586.rpm
e9309094431f4983fad035cbc1eb566b 10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
32720e7378b6b85ae3a1287d5ff558e3 x86_64/10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.x86_64.rpm
c46469b4d83446e861b8db3b54c60f6d x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.x86_64.rpm
5ea98645d8fd15f30c7060576d220518 x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.x86_64.rpm
e9309094431f4983fad035cbc1eb566b x86_64/10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

Mandriva Linux 10.2:
59614bb2b9bd76c93300d3459bd908e8 10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.i586.rpm
096f60340d1d71ea15290534a5b1cfc9 10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.i586.rpm
c40c436ab5751c4599caefc8cd28940f 10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.i586.rpm
1a7299f4d74a9d0aa89ce25871644616 10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
f9290067e4f4e039753d3b6e7eead02d x86_64/10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.x86_64.rpm
813f46e3d0d3413b4b4c5122b5ff8bfc x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.x86_64.rpm
820953daf6e6c69f58a1e3380cb60369 x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.x86_64.rpm
1a7299f4d74a9d0aa89ce25871644616 x86_64/10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

Mandriva Linux 2006.0:
b11365c74030b1075435ce6c9e0bda88 2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.i586.rpm
f24c20a001b8df396355bae70166c051 2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.i586.rpm
0d86053a3e69cd9bbf772664eec6236c 2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.i586.rpm
5781cf14f33e52da296bb4b89f811812 2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
dd6f3321e9ff2f6b767c9c2940c0379a x86_64/2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.x86_64.rpm
4400d9a3f5e6489bfd40c3185d98970a x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.x86_64.rpm
3b62ae9bcc9fbaa14198b898774b7cec x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.x86_64.rpm
5781cf14f33e52da296bb4b89f811812 x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

Corporate Server 2.1:
ce7a54747ca8339473335f6b588bc5ce corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.i586.rpm
7b44a889fef845ae5db3290dc9b866c9 corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.i586.rpm
73d527b67a4854fcf9fe9e8b27232fbe corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.i586.rpm
2a20268d079b94fbadafd29c3253504f corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
173c6aeda81987ac1820ea7865ca1942 x86_64/corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.x86_64.rpm
9624c2cf97df1588c14a3048899b571a x86_64/corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.x86_64.rpm
e8922f5da70e12576c9feac6d5998913 x86_64/corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.x86_64.rpm
2a20268d079b94fbadafd29c3253504f x86_64/corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

Corporate 3.0:
03913f6670b6de3b9e1c45e35ae0a186 corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.i586.rpm
fb46ec776a21f713f6fde14b575d5628 corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.i586.rpm
ded6e5340284869543be18b5b971be76 corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.i586.rpm
b54d99d537e7317aa590e6aae57df78b corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
d4d0d8a6995d5d209a508984b3b0d7d8 x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.x86_64.rpm
6bf1d33980eb83ec0434a9fbdae1014f x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.x86_64.rpm
62db83cb99470473cf1718fc38aaedc6 x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.x86_64.rpm
b54d99d537e7317aa590e6aae57df78b x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDcnQPmqjQ0CJFipgRAk6dAJ9GH/E98V/wHxCv2SufVnNDGJhHMQCfUpeJ
douSyj4gSpEu6e2KCnT8tHk=
=Gpyr
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/_mdksa_2005209__updated_fetchmail_packages_fixes_fetchmailconf_vulnerability.html)