USN-215-1: fetchmailconf vulnerability
Posted on: 11/09/2005 03:58 PM

A fetchmailconf security update is available for Ubuntu Linux:

Ubuntu Security Notice USN-215-1 November 07, 2005
fetchmail vulnerability CVE-2005-3088

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

fetchmailconf

The problem can be corrected by upgrading the affected package to version 6.2.5-8ubuntu2.2 (for Ubuntu 4.10), 6.2.5-12ubuntu1.2 (for Ubuntu 5.04), or 6.2.5-13ubuntu3.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. The output configuration file was initially
created with insecure permissions, and secure permissions were applied
after writing the configuration into the file. During this time, the
file was world readable on a standard system (unless the user manually
tightened his umask setting), which could expose email passwords to
local users.


Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2.diff.gz
Size/MD5: 136476 6065936c288a0b5ce3e241fc3cf98e29
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2.dsc
Size/MD5: 639 c711ee2923a6a4f31ed4fe684890061c
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
Size/MD5: 1257376 9956b30139edaa4f5f77c4d0dbd80225

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-8ubuntu2.2_all.deb
Size/MD5: 101584 5c4d3bd84b6a6f404dbb54cc0be4cbd6

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_amd64.deb
Size/MD5: 555668 9a1de14c3323d91e24ec1108e05d6a99

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_i386.deb
Size/MD5: 546280 7472cd0c9bfd7720a35af726865d23d3

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.2_powerpc.deb
Size/MD5: 556084 58ea16a77d08f2fbd721ecdae122539a

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2.diff.gz
Size/MD5: 150532 5407f7b7f814dbcb9d0c6c28d01f70f8
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2.dsc
Size/MD5: 656 f1a4cab136fc5d2455d5ddec6dfb3e2a
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
Size/MD5: 1257376 9956b30139edaa4f5f77c4d0dbd80225

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-12ubuntu1.2_all.deb
Size/MD5: 42350 90a3bb16d09d454321014010b4e6b4da
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-12ubuntu1.2_all.deb
Size/MD5: 101404 36148260f291326228eaff1185b7133c

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_amd64.deb
Size/MD5: 296894 501b55647d5a7b527d1b11fa8454d7ed

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_i386.deb
Size/MD5: 286176 5e35d166c8a76ba3b20af6d33a2f5dd4

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.2_powerpc.deb
Size/MD5: 296206 c4c08a4fef2ccb91dd92407f9d714f83

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1.diff.gz
Size/MD5: 130825 fc5ccdf6aaa875444f0852a62751f394
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1.dsc
Size/MD5: 830 4374876640b93de50c1ab3260ea57e46
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
Size/MD5: 1257376 9956b30139edaa4f5f77c4d0dbd80225

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-13ubuntu3.1_all.deb
Size/MD5: 42852 da929363e6e3801da2801f32f0c6a2be
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-13ubuntu3.1_all.deb
Size/MD5: 101896 492477d857965f8d407b7c08de72380e

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_amd64.deb
Size/MD5: 299390 da9c9b6ee9b0e2bb066e5b192a712e36

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_i386.deb
Size/MD5: 286168 a9dc5d11bd82299bf2ed67698bf54ca3

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.1_powerpc.deb
Size/MD5: 297094 b5a21f405eb3aa4f0cc94f5f7280710e


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_215_1_fetchmailconf_vulnerability.html)