Debian: DSA-1852-1 High: Fetchmail SSL Risk From MITM Attacks
debian
August 7, 2009
It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently pub...
Summary
It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the
subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate
validation through either these option combinations:
sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
or
sslcertck sslproto tls1 (for STARTTLS-based services)
For the oldstable distribution (etch), this problem has been fixed in
version 6.3.6-1etch2.
For the stable distribution (lenny), this problem has been fixed in
version 6.3.9~rc2-4+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 6.3.9~rc2-6.
We recomme...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: fetchmail
CVE ID: CVE-2009-2666
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!