USN-520-1: fetchmail vulnerabilities
Posted on: 09/26/2007 03:55 AM

A new fetchmail vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-520-1 September 26, 2007
fetchmail vulnerabilities
CVE-2007-1558, CVE-2007-4565
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
fetchmail 6.3.2-2ubuntu2.2

Ubuntu 6.10:
fetchmail 6.3.4-1ubuntu4.2

Ubuntu 7.04:
fetchmail 6.3.6-1ubuntu2.1

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Gaetan Leurent discovered a vulnerability in the APOP protocol based
on MD5 collisions. As fetchmail supports the APOP protocol, this
vulnerability can be used by attackers to discover a portion of the APOP
user's authentication credentials. (CVE-2007-1558)

Earl Chew discovered that fetchmail can be made to de-reference a NULL
pointer when contacting SMTP servers. This vulnerability can be used
by attackers who control the SMTP server to crash fetchmail and cause
a denial of service. (CVE-2007-4565)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2.diff.gz
Size/MD5: 190508 b6f34c90edfb5be3fa625572e440d46f
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2.dsc
Size/MD5: 766 b0ee07dc6149dff8fcabf8e3806fb14c
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
=2Eorig.tar.gz
Size/MD5: 1522264 a661735496077232acedb82a901fa499

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.3.2-2ubuntu2.2_all.deb
Size/MD5: 114918 183fcecaabaa9fd0dc78f5fa0cf66899

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2_amd64.deb
Size/MD5: 346852 0562c7d3159da530a247492eb4c83c17

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2_i386.deb
Size/MD5: 333422 1d96517ee7118ddb6c154b42f20282c3

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2_powerpc.deb
Size/MD5: 345546 1ab1bc976af5e02880ccfeb277a1e3ab

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2=
-2ubuntu2.2_sparc.deb
Size/MD5: 339632 5eae85ff0d41ca36030c985d828cc1b9

Updated packages for Ubuntu 6.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2.diff.gz
Size/MD5: 54883 9f96afa7114c4ff7d83d52ddff3a7734
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2.dsc
Size/MD5: 765 5896f0d44a778f5aa234e5645fde1d1c
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
=2Eorig.tar.gz
Size/MD5: 1313880 023a27d8281e5362323dec3e1ccca1c8

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.3.4-1ubuntu4.2_all.deb
Size/MD5: 60460 60c7b0de630485e35a5ab49c14ab5dc3

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2_amd64.deb
Size/MD5: 350904 da444d4475fae7453552a5112124912d

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2_i386.deb
Size/MD5: 341816 5367a81a858f9c590c4a4947f1a45983

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2_powerpc.deb
Size/MD5: 350320 d82081bf97a28bc745a5342cfba46988

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4=
-1ubuntu4.2_sparc.deb
Size/MD5: 345394 745ec98c5d2dec4bf6d630650798e92a

Updated packages for Ubuntu 7.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1.diff.gz
Size/MD5: 56402 05af2c1bb84df24da58935e51d7b6002
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1.dsc
Size/MD5: 966 8dee518a1b9c90ff5bd5f3eb6a007c1d
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
=2Eorig.tar.gz
Size/MD5: 1680200 04175459cdf32fdb10d9e8fc46b633c3

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailco=
nf_6.3.6-1ubuntu2.1_all.deb
Size/MD5: 63826 dd31c4c75cd18947cc49ae649ac8717f

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1_amd64.deb
Size/MD5: 376182 19d7655fafa90d200b5defae11de58ac

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1_i386.deb
Size/MD5: 365590 a54d1d43f960ae118a4dee6b3aba4a42

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1_powerpc.deb
Size/MD5: 377260 eb1373f300d8ea78b944bb788d9ca6dd

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6=
-1ubuntu2.1_sparc.deb
Size/MD5: 370316 9211fd7fb44b2f3d620958b42d3ddaf7


--uwB7x3tnyrZQfZJI
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG+cCxH/9LqRcGPm0RAo++AKCdF07kn9cF3p0kGZgupNqU18NbNgCeMAvx
Pc3TKVRMFhtHJ05CMRCtWZQ=
=LFP5
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_520_1_fetchmail_vulnerabilities.html)