USN-405-1: fetchmail vulnerability
Posted on: 01/11/2007 11:00 PM

A new fetchmail vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-405-1 January 11, 2007
fetchmail vulnerability
CVE-2006-5867
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
fetchmail 6.2.5-13ubuntu3.3

Ubuntu 6.06 LTS:
fetchmail 6.3.2-2ubuntu2.1

Ubuntu 6.10:
fetchmail 6.3.4-1ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that fetchmail did not correctly require TLS=20
negotiation in certain situations. This would result in a user's=20
unencrypted password being sent across the network.

If fetchmail has been configured to use the "sslproto tls1",=20
"sslcertck", or "sslfingerprint" options with a server that does not=20
correctly support TLS negotiation, this update may cause fetchmail to=20
(correctly) abort authentication.


Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3.diff.gz
Size/MD5: 136261 57185837a58d3ad514c6bc4c2b230b74
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3.dsc
Size/MD5: 830 492f64454fbf955851ef89e7f0e53c81
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
=2Eorig.tar.gz
Size/MD5: 1257376 9956b30139edaa4f5f77c4d0dbd80225

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-s=
sl_6.2.5-13ubuntu3.3_all.deb
Size/MD5: 43036 6a77a66efc96d0a88403d0359a2a5112
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.2.5-13ubuntu3.3_all.deb
Size/MD5: 102122 2c5f8b5d6d626a60524f908316d618dc

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3_amd64.deb
Size/MD5: 300240 e789b1f9a34c4e635199912c2d916b3b

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3_i386.deb
Size/MD5: 286718 b937c39d14324ff83a00c8fd28c900a5

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3_powerpc.deb
Size/MD5: 297662 7b62818f6db2c6aecefd47a5ec14628e

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5=
-13ubuntu3.3_sparc.deb
Size/MD5: 291154 aa7114c992431cf599ae3be87fb5b897

Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1.diff.gz
Size/MD5: 185979 5e8ebca4a911c900d43829fe62ef805c
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1.dsc
Size/MD5: 766 7edfd439359d5a165c06ed1d100f1153
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
=2Eorig.tar.gz
Size/MD5: 1522264 a661735496077232acedb82a901fa499

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.3.2-2ubuntu2.1_all.deb
Size/MD5: 114724 6460745fd92aa99eee0805b23352297c

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1_amd64.deb
Size/MD5: 346092 b810bc5d0fcf9b387effad1c0e8760a5

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1_i386.deb
Size/MD5: 332450 71eba23c7e1565b4b93d2c7c11b61b60

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1_powerpc.deb
Size/MD5: 344830 b4296f610b45ab5a3c7161e1a7cf3ac1

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.1_sparc.deb
Size/MD5: 338824 c8813e761b034117d1d88803c3474c0a

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1.diff.gz
Size/MD5: 49974 d00d6feefb5a28806d41f6120ed575ac
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1.dsc
Size/MD5: 765 d96f92b7d60ff72be06ad66d94de0341
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
=2Eorig.tar.gz
Size/MD5: 1313880 023a27d8281e5362323dec3e1ccca1c8

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.3.4-1ubuntu4.1_all.deb
Size/MD5: 59994 11dcd228b664fb352dad1f5b1e0d859b

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1_amd64.deb
Size/MD5: 350382 ca2dd427a85136b8071ddcd55706ccfd

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1_i386.deb
Size/MD5: 341088 e89b64411efda4a1ad7148cab8a0d3a9

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1_powerpc.deb
Size/MD5: 349512 fff474018dd4bf4e87ed4664047bf663

sparc architecture (Sun SPARC/UltraSPARC)

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.1_sparc.deb
Size/MD5: 344622 291a00bf5b19cd0256d1baf143798f3e


--M0YLxmUXciMpOLPE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFpqN2H/9LqRcGPm0RAgDKAJ0Txm3hyXvouIZYcRHpXnAYm4ryqgCfeMjy
aWreUTLztwYr2nTqE/YZtAU=
=Szk5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_405_1_fetchmail_vulnerability.html)