LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: fetchmail vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that fetchmail did not correctly require TLS negotiation in certain situations. This would result in a user's unencrypted password being sent across the network.If fetchmail has been configured to use the "sslproto tls1", "sslcertck", or "sslfingerprint" options with a server that does not correctly support TLS negotiation, this update may cause fetchmail to (correctly) abort authentication.
=========================================================== 
Ubuntu Security Notice USN-405-1           January 11, 2007
fetchmail vulnerability
CVE-2006-5867
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  fetchmail                                6.2.5-13ubuntu3.3

Ubuntu 6.06 LTS:
  fetchmail                                6.3.2-2ubuntu2.1

Ubuntu 6.10:
  fetchmail                                6.3.4-1ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that fetchmail did not correctly require TLS 
negotiation in certain situations.  This would result in a user's 
unencrypted password being sent across the network.

If fetchmail has been configured to use the "sslproto tls1", 
"sslcertck", or "sslfingerprint" options with a server that does not 
correctly support TLS negotiation, this update may cause fetchmail to 
(correctly) abort authentication.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3.diff.gz
      Size/MD5:   136261 57185837a58d3ad514c6bc4c2b230b74
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3.dsc
      Size/MD5:      830 492f64454fbf955851ef89e7f0e53c81
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-13ubuntu3.3_all.deb
      Size/MD5:    43036 6a77a66efc96d0a88403d0359a2a5112
    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-13ubuntu3.3_all.deb
      Size/MD5:   102122 2c5f8b5d6d626a60524f908316d618dc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3_amd64.deb
      Size/MD5:   300240 e789b1f9a34c4e635199912c2d916b3b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3_i386.deb
      Size/MD5:   286718 b937c39d14324ff83a00c8fd28c900a5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3_powerpc.deb
      Size/MD5:   297662 7b62818f6db2c6aecefd47a5ec14628e

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.3_sparc.deb
      Size/MD5:   291154 aa7114c992431cf599ae3be87fb5b897

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1.diff.gz
      Size/MD5:   185979 5e8ebca4a911c900d43829fe62ef805c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1.dsc
      Size/MD5:      766 7edfd439359d5a165c06ed1d100f1153
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
      Size/MD5:  1522264 a661735496077232acedb82a901fa499

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.1_all.deb
      Size/MD5:   114724 6460745fd92aa99eee0805b23352297c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1_amd64.deb
      Size/MD5:   346092 b810bc5d0fcf9b387effad1c0e8760a5

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1_i386.deb
      Size/MD5:   332450 71eba23c7e1565b4b93d2c7c11b61b60

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1_powerpc.deb
      Size/MD5:   344830 b4296f610b45ab5a3c7161e1a7cf3ac1

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.1_sparc.deb
      Size/MD5:   338824 c8813e761b034117d1d88803c3474c0a

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1.diff.gz
      Size/MD5:    49974 d00d6feefb5a28806d41f6120ed575ac
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1.dsc
      Size/MD5:      765 d96f92b7d60ff72be06ad66d94de0341
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4.orig.tar.gz
      Size/MD5:  1313880 023a27d8281e5362323dec3e1ccca1c8

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.4-1ubuntu4.1_all.deb
      Size/MD5:    59994 11dcd228b664fb352dad1f5b1e0d859b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1_amd64.deb
      Size/MD5:   350382 ca2dd427a85136b8071ddcd55706ccfd

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1_i386.deb
      Size/MD5:   341088 e89b64411efda4a1ad7148cab8a0d3a9

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1_powerpc.deb
      Size/MD5:   349512 fff474018dd4bf4e87ed4664047bf663

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.1_sparc.deb
      Size/MD5:   344622 291a00bf5b19cd0256d1baf143798f3e


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Even the most secure cloud storage may not be so secure, study finds
Targeted Attack Uses Heartbleed to Hijack VPN Sessions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.