LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Updated fetchmail packages fixes fetchmailconf vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program.
 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:209
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : fetchmail
 Date    : November 9, 2005
 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Thomas Wolff and Miloslav Trmac discovered a race condition in the
 fetchmailconf program.  fetchmailconf would create the initial output
 configuration file with insecure permissions and only after writing
 would it change permissions to be more restrictive.  During that time,
 passwords and other data could be exposed to other users on the system
 unless the user used a more restrictive umask setting.
 
 As well, the Mandriva Linux 2006 packages did not contain the patch
 that corrected the issues fixed in MDKSA-2005:126, namely a buffer
 overflow in fetchmail's POP3 client (CAN-2005-2355).
 
 The updated packages have been patched to address this issue, and the
 Mandriva 2006 packages have also been patched to correct CAN-2005-2355.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2355
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 de0b7fb59640e490441fe4a48d11954d  10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.i586.rpm
 84c6cb9619cb5b4ef74ade674845f51e  10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.i586.rpm
 1f0b8136bcd4caeae75542ff54d78371  10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.i586.rpm
 e9309094431f4983fad035cbc1eb566b  10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 32720e7378b6b85ae3a1287d5ff558e3  x86_64/10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.x86_64.rpm
 c46469b4d83446e861b8db3b54c60f6d  x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.x86_64.rpm
 5ea98645d8fd15f30c7060576d220518  x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.x86_64.rpm
 e9309094431f4983fad035cbc1eb566b  x86_64/10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

 Mandriva Linux 10.2:
 59614bb2b9bd76c93300d3459bd908e8  10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.i586.rpm
 096f60340d1d71ea15290534a5b1cfc9  10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.i586.rpm
 c40c436ab5751c4599caefc8cd28940f  10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.i586.rpm
 1a7299f4d74a9d0aa89ce25871644616  10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 f9290067e4f4e039753d3b6e7eead02d  x86_64/10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.x86_64.rpm
 813f46e3d0d3413b4b4c5122b5ff8bfc  x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.x86_64.rpm
 820953daf6e6c69f58a1e3380cb60369  x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.x86_64.rpm
 1a7299f4d74a9d0aa89ce25871644616  x86_64/10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

 Mandriva Linux 2006.0:
 b11365c74030b1075435ce6c9e0bda88  2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.i586.rpm
 f24c20a001b8df396355bae70166c051  2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.i586.rpm
 0d86053a3e69cd9bbf772664eec6236c  2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.i586.rpm
 5781cf14f33e52da296bb4b89f811812  2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 dd6f3321e9ff2f6b767c9c2940c0379a  x86_64/2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.x86_64.rpm
 4400d9a3f5e6489bfd40c3185d98970a  x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.x86_64.rpm
 3b62ae9bcc9fbaa14198b898774b7cec  x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.x86_64.rpm
 5781cf14f33e52da296bb4b89f811812  x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

 Corporate Server 2.1:
 ce7a54747ca8339473335f6b588bc5ce  corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.i586.rpm
 7b44a889fef845ae5db3290dc9b866c9  corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.i586.rpm
 73d527b67a4854fcf9fe9e8b27232fbe  corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.i586.rpm
 2a20268d079b94fbadafd29c3253504f  corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 173c6aeda81987ac1820ea7865ca1942  x86_64/corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.x86_64.rpm
 9624c2cf97df1588c14a3048899b571a  x86_64/corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.x86_64.rpm
 e8922f5da70e12576c9feac6d5998913  x86_64/corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.x86_64.rpm
 2a20268d079b94fbadafd29c3253504f  x86_64/corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

 Corporate 3.0:
 03913f6670b6de3b9e1c45e35ae0a186  corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.i586.rpm
 fb46ec776a21f713f6fde14b575d5628  corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.i586.rpm
 ded6e5340284869543be18b5b971be76  corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.i586.rpm
 b54d99d537e7317aa590e6aae57df78b  corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 d4d0d8a6995d5d209a508984b3b0d7d8  x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.x86_64.rpm
 6bf1d33980eb83ec0434a9fbdae1014f  x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.x86_64.rpm
 62db83cb99470473cf1718fc38aaedc6  x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.x86_64.rpm
 b54d99d537e7317aa590e6aae57df78b  x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Even the most secure cloud storage may not be so secure, study finds
Targeted Attack Uses Heartbleed to Hijack VPN Sessions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.