Mandriva: 2013:037: fetchmail
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been found and corrected in fetchmail: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:037
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : fetchmail
 Date    : April 5, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in fetchmail:
 
 Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
 contains a switch to disable a countermeasure against certain attacks
 against block ciphers that permit guessing the initialization vectors,
 providing that an attacker can make the application (fetchmail) encrypt
 some data for him -- which is not easily the case (aka a BEAST attack)
 (CVE-2011-3389).
 
 A denial of service flaw was found in the way Fetchmail, a remote mail
 retrieval and forwarding utility, performed base64 decoding of certain
 NTLM server responses. Upon sending the NTLM authentication request,
 Fetchmail did not check if the received response was actually part
 of NTLM protocol exchange, or server-side error message and session
 abort. A rogue NTML server could use this flaw to cause fetchmail
 executable crash (CVE-2012-3482).
 
 This advisory provides the latest version of fetchmail (6.3.22)
 which is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
 http://www.fetchmail.info/fetchmail-SA-2012-01.txt
 http://www.fetchmail.info/fetchmail-SA-2012-02.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 c30dacec397667ad6058f3800f3aca2c  mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm
 bed6bf2974ebcb9ac9c8f5e2c2ee310b  mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm
 1750ed3c0d237c7ac4fcf6b98a7b1b21  mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm 
 dbd678a792ee058801ec35c7f99096a4  mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________