"Ubuntu Security Notice USN-816-1 August 12, 2009
fetchmail vulnerability
CVE-2009-2666
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
fetchmail 6.3.2-2ubuntu2.3
Ubuntu 8.04 LTS:
fetchmail 6.3.8-10ubuntu1.1
Ubuntu 8.10:
fetchmail 6.3.8-11ubuntu3.1
Ubuntu 9.04:
fetchmail 6.3.9~rc2-4ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moxie Marlinspike discovered that fetchmail did not properly handle
certificates with NULL characters in the certificate name. A remote
attacker could exploit this to perform a man in the middle attack to
view sensitive information or alter encrypted communications.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.diff.gz
Size/MD5: 191107 9d0c089074ea79db248cca36714e56cd
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.dsc
Size/MD5: 812 68c7ce726e683390daf0199b2b646865
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
Size/MD5: 1522264 a661735496077232acedb82a901fa499
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.3_all.deb
Size/MD5: 114946 01a751405f08024ed08e0ec1b06b6213
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_amd64.deb
Size/MD5: 347012 32a3fff1c437774c2480646536b9e716
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_i386.deb
Size/MD5: 333650 0eed4e07d723dba7ca14210e80e59c7a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_powerpc.deb
Size/MD5: 345698 ee714084a44f35a1c7bc9916691ccea2
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_sparc.deb
Size/MD5: 339820 47b3f94dc05000e46489fddd30eea5be
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.diff.gz
Size/MD5: 63885 e305fcae9eb86e0fce57c1e0467db13e
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.dsc
Size/MD5: 1080 49e91c3a8ed18d928a3002279ac61caa
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
Size/MD5: 1691723 1b84621072b4f906b5686a4fbae0b1d7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-10ubuntu1.1_all.deb
Size/MD5: 63906 e40223bb9b433719091d0d9de835cc1e
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_amd64.deb
Size/MD5: 385906 154e459bf59e28a44750bd392ddd2ca9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_i386.deb
Size/MD5: 373120 dcb601f22e56bf36f2104b359fbc1c9d
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_lpia.deb
Size/MD5: 373342 f1a37e39a5dc46fdeb25ece934faff56
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_powerpc.deb
Size/MD5: 388680 2f669c26bd5093201815241caae577a0
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_sparc.deb
Size/MD5: 377326 b8f0ba3a4ac9513ff931cb9e9ddeed0c
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.diff.gz
Size/MD5: 65008 ae5fa277a18f59b0e2af5119b21cc962
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.dsc
Size/MD5: 1488 c2dbe38ccbcdcb60260fefd9fcc47608
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
Size/MD5: 1691723 1b84621072b4f906b5686a4fbae0b1d7
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-11ubuntu3.1_all.deb
Size/MD5: 64354 2b0529ffa107f1622b7b559dbcea19f3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_amd64.deb
Size/MD5: 387888 93842d6ea6f4544b58976d6b7329b65c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_i386.deb
Size/MD5: 373930 968ae9e9dac23d81c6d63eac91590a49
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_lpia.deb
Size/MD5: 373726 a12e3bf5a1b691e2435f8b91b028b3d2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_powerpc.deb
Size/MD5: 388470 d7da47c31d27d3edbb5c8e2b0b308909
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_sparc.deb
Size/MD5: 380018 b4015f4a8b8e67c1b62231033b736bba
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.diff.gz
Size/MD5: 49605 3bbf57ecf060a6254b71bc73b46c429e
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.dsc
Size/MD5: 1505 3d4d55b89631a10be608739db0488d00
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
Size/MD5: 1711087 200ece6f73ac28ccda7aea42ea4e492d
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.9~rc2-4ubuntu1.1_all.deb
Size/MD5: 64940 68cf588634d7ab15120f0fc73f8cbb73
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_amd64.deb
Size/MD5: 391020 40816e1ae515f598756b55ec23c38cf6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_i386.deb
Size/MD5: 377636 70682ec1fbf0fc1692f83c15bdf593e7
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_lpia.deb
Size/MD5: 377928 986f144b2162feb7664b9f5c39047035
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_powerpc.deb
Size/MD5: 391402 d69de1a36758e6b35d46e7283f555b61
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_sparc.deb
Size/MD5: 384332 eabd08fec6c574ad615e0dd38c0961e6
--54ZiyWcDhi/7bWb8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook
iEYEARECAAYFAkqDSJwACgkQH/9LqRcGPm34VwCbBQkyKwnwuH4lHzt4pY8BkwLs
JN8AoJIzBPS+dXdCpih7fzNrnIYPN3VS
=0uNc
-----END PGP SIGNATURE-----
"
Robbie distracted by Jay KayUSN-799-1: D-Bus vulnerability
This entry was posted
on 9:32 AM
.
Archives
-
▼
2009
(488)
-
▼
August
(32)
- DSA 1875-1: New ikiwiki packages fix information d...
- USN-822-1: KDE-Libs vulnerabilities
- RHSA-2009:1236-01 Critical: java-1.5.0-ibm securit...
- RHSA-2009:1233-01 Important: kernel security update
- USN-825-1: libvorbis vulnerability
- DSA 1874-1: New nss packages fix several vulnerabi...
- DSA 1873-1: New xulrunner packages fix spoofing vu...
- DSA 1871-2: New wordpress packages fix regression
- DSA 1833-2: New dhcp3 packages fix arbitrary code ...
- DSA 1872-1: New Linux 2.6.18 packages fix several ...
- USN-823-1: KDE-Graphics vulnerabilities
- RHSA-2009:1223-02 Important: kernel security update
- RHSA-2009:1222-02 Important: kernel security and b...
- DSA 1871-1: New wordpress packages fix several vul...
- DSA 1867-1: New kdelibs packages fix several vulne...
- GLSA 200908-09 DokuWiki: Local file inclusion
- USN-817-1: Thunderbird vulnerabilities
- USN-809-1: GnuTLS vulnerabilities
- GLSA 200908-08 ISC DHCP: dhcpd Denial of Service
- USN-818-1: curl vulnerability
- GLSA 200908-10 Dillo: User-assisted execution of ...
- RHSA-2009:1218-01 Critical: pidgin security update
- DSA 1865-1: New Linux 2.6.18 packages fix several ...
- DSA 1863-1: New zope2.10/zope2.9 packages fix arbi...
- RHSA-2009:1207-01 Critical: nspr and nss security ...
- USN-815-1: libxml2 vulnerabilities
- DSA 1862-1: New Linux 2.6.26 packages fix privileg...
- RHSA-2009:1209-01 Moderate: curl security update
- USN-816-1: fetchmail vulnerability
- DSA 1857-1: New camlimages packages fix arbitrary ...
- DSA 1856-1: New mantis packages fix information leak
- DSA 1854-1: New APR packages fix arbitrary code ex...
-
▼
August
(32)