[FLSA-2006:164512] Updated fetchmail packages fix security issues

Marc Deslauriers marcdeslauriers at videotron.ca
Sat May 13 00:55:22 UTC 2006


---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated fetchmail packages fix security issues
Advisory ID:       FLSA:164512
Issue date:        2006-05-12
Product:           Red Hat Linux, Fedora Core
Keywords:          Bugfix
CVE Names:         CVE-2003-0792 CVE-2005-2335 CVE-2005-3088
                   CVE-2005-4348
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated fetchmail packages that fix security flaws are now available.

Fetchmail is a remote mail retrieval and forwarding utility.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way fetchmail allocates memory for long lines. A
remote attacker could cause a denial of service by sending a specially-
crafted email. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2003-0792 to this issue.

A buffer overflow was discovered in fetchmail's POP3 client. A malicious
server could cause send a carefully crafted message UID and cause
fetchmail to crash or potentially execute arbitrary code as the user
running fetchmail. The Common Vulnerabilities and Exposures project
assigned the name CVE-2005-2335 to this issue.

A bug was found in the way the fetchmailconf utility program writes
configuration files. The default behavior of fetchmailconf is to write a
configuration file which may be world readable for a short period of
time. This configuration file could provide passwords to a local
malicious attacker within the short window before fetchmailconf sets
secure permissions. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-3088 to this issue.

A bug was found when fetchmail is running in multidrop mode. A malicious
mail server can cause a denial of service by sending a message without
headers. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-4348 to this issue.

Users of fetchmail should update to this erratum package which contains
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/fetchmail-6.2.5-2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/fetchmail-6.2.5-2.2.legacy.i386.rpm


7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

8b49bca60dc8bcbba7634b8e0559c82fbeef3db5
redhat/7.3/updates/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm
9c9c861757b4b8b2866f1d0e91dbc16d5037d956
redhat/7.3/updates/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm
9cca4f274cb21928d459ed25883e5d3c1f758f10
redhat/7.3/updates/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm
0fd22e51f83aab97d8c1790ed95423882f01aa9b
redhat/9/updates/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm
7d2eb582d0aba96e07710eb89cd8c4c41c4530d3
redhat/9/updates/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm
5df158a0ba6bb0c323a75464e04b11e246dd8f98
fedora/1/updates/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm
927ed2783b8b4a29d0669e7936c1d27fd05564eb
fedora/1/updates/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm
418f533e86f4c04a5fc41235b0618db470a63471
fedora/2/updates/i386/fetchmail-6.2.5-2.2.legacy.i386.rpm
d5a948f76f51032c05ab44b0ca7e47e36f7e4042
fedora/2/updates/SRPMS/fetchmail-6.2.5-2.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348

9. Contact:

The Fedora Legacy security contact is <secnotice at fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060512/eeb356fc/attachment.sig>


More information about the fedora-legacy-list mailing list