USN-816-1: fetchmail vulnerability  

Posted by Daniela Mehler

"Ubuntu Security Notice USN-816-1 August 12, 2009
fetchmail vulnerability
CVE-2009-2666
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
fetchmail 6.3.2-2ubuntu2.3

Ubuntu 8.04 LTS:
fetchmail 6.3.8-10ubuntu1.1

Ubuntu 8.10:
fetchmail 6.3.8-11ubuntu3.1

Ubuntu 9.04:
fetchmail 6.3.9~rc2-4ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Moxie Marlinspike discovered that fetchmail did not properly handle
certificates with NULL characters in the certificate name. A remote
attacker could exploit this to perform a man in the middle attack to
view sensitive information or alter encrypted communications.


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.diff.gz
Size/MD5: 191107 9d0c089074ea79db248cca36714e56cd
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.dsc
Size/MD5: 812 68c7ce726e683390daf0199b2b646865
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
Size/MD5: 1522264 a661735496077232acedb82a901fa499

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.3_all.deb
Size/MD5: 114946 01a751405f08024ed08e0ec1b06b6213

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_amd64.deb
Size/MD5: 347012 32a3fff1c437774c2480646536b9e716

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_i386.deb
Size/MD5: 333650 0eed4e07d723dba7ca14210e80e59c7a

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_powerpc.deb
Size/MD5: 345698 ee714084a44f35a1c7bc9916691ccea2

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_sparc.deb
Size/MD5: 339820 47b3f94dc05000e46489fddd30eea5be

Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.diff.gz
Size/MD5: 63885 e305fcae9eb86e0fce57c1e0467db13e
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.dsc
Size/MD5: 1080 49e91c3a8ed18d928a3002279ac61caa
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
Size/MD5: 1691723 1b84621072b4f906b5686a4fbae0b1d7

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-10ubuntu1.1_all.deb
Size/MD5: 63906 e40223bb9b433719091d0d9de835cc1e

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_amd64.deb
Size/MD5: 385906 154e459bf59e28a44750bd392ddd2ca9

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_i386.deb
Size/MD5: 373120 dcb601f22e56bf36f2104b359fbc1c9d

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_lpia.deb
Size/MD5: 373342 f1a37e39a5dc46fdeb25ece934faff56

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_powerpc.deb
Size/MD5: 388680 2f669c26bd5093201815241caae577a0

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_sparc.deb
Size/MD5: 377326 b8f0ba3a4ac9513ff931cb9e9ddeed0c

Updated packages for Ubuntu 8.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.diff.gz
Size/MD5: 65008 ae5fa277a18f59b0e2af5119b21cc962
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.dsc
Size/MD5: 1488 c2dbe38ccbcdcb60260fefd9fcc47608
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
Size/MD5: 1691723 1b84621072b4f906b5686a4fbae0b1d7

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-11ubuntu3.1_all.deb
Size/MD5: 64354 2b0529ffa107f1622b7b559dbcea19f3

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_amd64.deb
Size/MD5: 387888 93842d6ea6f4544b58976d6b7329b65c

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_i386.deb
Size/MD5: 373930 968ae9e9dac23d81c6d63eac91590a49

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_lpia.deb
Size/MD5: 373726 a12e3bf5a1b691e2435f8b91b028b3d2

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_powerpc.deb
Size/MD5: 388470 d7da47c31d27d3edbb5c8e2b0b308909

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_sparc.deb
Size/MD5: 380018 b4015f4a8b8e67c1b62231033b736bba

Updated packages for Ubuntu 9.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.diff.gz
Size/MD5: 49605 3bbf57ecf060a6254b71bc73b46c429e
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.dsc
Size/MD5: 1505 3d4d55b89631a10be608739db0488d00
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
Size/MD5: 1711087 200ece6f73ac28ccda7aea42ea4e492d

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.9~rc2-4ubuntu1.1_all.deb
Size/MD5: 64940 68cf588634d7ab15120f0fc73f8cbb73

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_amd64.deb
Size/MD5: 391020 40816e1ae515f598756b55ec23c38cf6

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_i386.deb
Size/MD5: 377636 70682ec1fbf0fc1692f83c15bdf593e7

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_lpia.deb
Size/MD5: 377928 986f144b2162feb7664b9f5c39047035

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_powerpc.deb
Size/MD5: 391402 d69de1a36758e6b35d46e7283f555b61

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_sparc.deb
Size/MD5: 384332 eabd08fec6c574ad615e0dd38c0961e6


--54ZiyWcDhi/7bWb8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook

iEYEARECAAYFAkqDSJwACgkQH/9LqRcGPm34VwCbBQkyKwnwuH4lHzt4pY8BkwLs
JN8AoJIzBPS+dXdCpih7fzNrnIYPN3VS
=0uNc
-----END PGP SIGNATURE-----
"

Robbie distracted by Jay KayUSN-799-1: D-Bus vulnerability

This entry was posted on 9:32 AM .
Newer Post Older Post