Debian: DSA-1852-1: New fetchmail packages fix SSL certificate verification weakness

    Date07 Aug 2009
    CategoryDebian
    53
    Posted ByLinuxSecurity Advisories
    It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA-1852-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    August 7th, 2009                        http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : fetchmail
    Vulnerability  : insufficient input validation
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2009-2666
    
    It was discovered that fetchmail, a full-featured remote mail retrieval
    and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
    SSL/TLS Certificates" recently published at the Blackhat conference.
    This allows an attacker to perform undetected man-in-the-middle attacks
    via a crafted ITU-T X.509 certificate with an injected null byte in the
    subjectAltName or Common Name fields.
    
    Note, as a fetchmail user you should always use strict certificate
    validation through either these option combinations:
        sslcertck ssl sslproto ssl3    (for service on SSL-wrapped ports)
    or
        sslcertck sslproto tls1        (for STARTTLS-based services)
    
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 6.3.6-1etch2.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 6.3.9~rc2-4+lenny1.
    
    For the testing distribution (squeeze), this problem will be fixed soon.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 6.3.9~rc2-6.
    
    
    We recommend that you upgrade your fetchmail packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc
        Size/MD5 checksum:      882 5d96480a102ad30f66dbac6bcbae1037
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
        Size/MD5 checksum:  1680200 04175459cdf32fdb10d9e8fc46b633c3
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz
        Size/MD5 checksum:    45665 a51b0544434e51577863032336812bd6
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb
        Size/MD5 checksum:    61444 f65648771182f763268cbc7fd643da8b
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb
        Size/MD5 checksum:   666592 289c6c238d70e71771d5c0c87b764a87
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb
        Size/MD5 checksum:   649604 8d2e4ff30c29e9e67831ec9aab5a567e
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb
        Size/MD5 checksum:   645170 928f041ad7b0311ac0188e4e6ca6256f
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb
        Size/MD5 checksum:   658340 511591dee94637fe440c6a737a3fd880
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb
        Size/MD5 checksum:   642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb
        Size/MD5 checksum:   700924 6d7f77eca56a191e0fab3bdf8fa98c37
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb
        Size/MD5 checksum:   647274 771f97aa2d2029135185afcbf05b605c
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb
        Size/MD5 checksum:   647026 f2ac2a5ce6f648b7d88948530456d02d
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb
        Size/MD5 checksum:   640688 974ffde76095f1fa184cf1eced7b7dae
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc
        Size/MD5 checksum:     1375 39a3debdf4c4cf3e313c75e5688209ca
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz
        Size/MD5 checksum:    46891 a2715b1768546ea2d7a3c8a518aa8188
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
        Size/MD5 checksum:  1711087 200ece6f73ac28ccda7aea42ea4e492d
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb
        Size/MD5 checksum:    63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb
        Size/MD5 checksum:   680224 1a2ddefc8a90da5e2d31291f1101442c
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb
        Size/MD5 checksum:   668616 65015cc17b556da2e44ef1496171e9fd
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb
        Size/MD5 checksum:   663090 4b4fccf839ee8b6f1f94a997ac911179
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb
        Size/MD5 checksum:   662018 837c3029b01e180f2447ff0f19555dc5
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb
        Size/MD5 checksum:   673570 7dbce7d81c38e4fa9562626610b09f65
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb
        Size/MD5 checksum:   657844 a9e357f91278e9108018725c96eeb8ae
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb
        Size/MD5 checksum:   719116 4b2f362a01870c0770f010bcc5012aad
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb
        Size/MD5 checksum:   664870 2abf34330924241ce890b703709c5895
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb
        Size/MD5 checksum:   663906 88af289787ec5fd46c83f28a0de65849
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb
        Size/MD5 checksum:   669542 7c9a426df9ef71c0420ccb030e5d422b
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb
        Size/MD5 checksum:   666976 6aa0fd370bd06f3c39d9230c82cde208
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb
        Size/MD5 checksum:   658912 699f23466f0003f7f38f02111d5a3363
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.