LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: fetchmail vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Gaetan Leurent discovered a vulnerability in the APOP protocol based on MD5 collisions. As fetchmail supports the APOP protocol, this vulnerability can be used by attackers to discover a portion of the APOP user's authentication credentials.
=========================================================== 
Ubuntu Security Notice USN-520-1         September 26, 2007
fetchmail vulnerabilities
CVE-2007-1558, CVE-2007-4565
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  fetchmail                       6.3.2-2ubuntu2.2

Ubuntu 6.10:
  fetchmail                       6.3.4-1ubuntu4.2

Ubuntu 7.04:
  fetchmail                       6.3.6-1ubuntu2.1

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Gaetan Leurent discovered a vulnerability in the APOP protocol based
on MD5 collisions. As fetchmail supports the APOP protocol, this
vulnerability can be used by attackers to discover a portion of the APOP
user's authentication credentials. (CVE-2007-1558)

Earl Chew discovered that fetchmail can be made to de-reference a NULL
pointer when contacting SMTP servers. This vulnerability can be used
by attackers who control the SMTP server to crash fetchmail and cause
a denial of service. (CVE-2007-4565)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2.diff.gz
      Size/MD5:   190508 b6f34c90edfb5be3fa625572e440d46f
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2.dsc
      Size/MD5:      766 b0ee07dc6149dff8fcabf8e3806fb14c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
      Size/MD5:  1522264 a661735496077232acedb82a901fa499

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.2_all.deb
      Size/MD5:   114918 183fcecaabaa9fd0dc78f5fa0cf66899

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_amd64.deb
      Size/MD5:   346852 0562c7d3159da530a247492eb4c83c17

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_i386.deb
      Size/MD5:   333422 1d96517ee7118ddb6c154b42f20282c3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_powerpc.deb
      Size/MD5:   345546 1ab1bc976af5e02880ccfeb277a1e3ab

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.2_sparc.deb
      Size/MD5:   339632 5eae85ff0d41ca36030c985d828cc1b9

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2.diff.gz
      Size/MD5:    54883 9f96afa7114c4ff7d83d52ddff3a7734
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2.dsc
      Size/MD5:      765 5896f0d44a778f5aa234e5645fde1d1c
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4.orig.tar.gz
      Size/MD5:  1313880 023a27d8281e5362323dec3e1ccca1c8

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.4-1ubuntu4.2_all.deb
      Size/MD5:    60460 60c7b0de630485e35a5ab49c14ab5dc3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_amd64.deb
      Size/MD5:   350904 da444d4475fae7453552a5112124912d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_i386.deb
      Size/MD5:   341816 5367a81a858f9c590c4a4947f1a45983

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_powerpc.deb
      Size/MD5:   350320 d82081bf97a28bc745a5342cfba46988

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.4-1ubuntu4.2_sparc.deb
      Size/MD5:   345394 745ec98c5d2dec4bf6d630650798e92a

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1.diff.gz
      Size/MD5:    56402 05af2c1bb84df24da58935e51d7b6002
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1.dsc
      Size/MD5:      966 8dee518a1b9c90ff5bd5f3eb6a007c1d
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
      Size/MD5:  1680200 04175459cdf32fdb10d9e8fc46b633c3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.6-1ubuntu2.1_all.deb
      Size/MD5:    63826 dd31c4c75cd18947cc49ae649ac8717f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_amd64.deb
      Size/MD5:   376182 19d7655fafa90d200b5defae11de58ac

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_i386.deb
      Size/MD5:   365590 a54d1d43f960ae118a4dee6b3aba4a42

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_powerpc.deb
      Size/MD5:   377260 eb1373f300d8ea78b944bb788d9ca6dd

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.6-1ubuntu2.1_sparc.deb
      Size/MD5:   370316 9211fd7fb44b2f3d620958b42d3ddaf7


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.