Debian: DSA-1852-1: New fetchmail packages fix SSL certificate verification weakness

    Date07 Aug 2009
    CategoryDebian
    75
    Posted ByLinuxSecurity Advisories
    It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA-1852-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    August 7th, 2009                        http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : fetchmail
    Vulnerability  : insufficient input validation
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2009-2666
    
    It was discovered that fetchmail, a full-featured remote mail retrieval
    and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
    SSL/TLS Certificates" recently published at the Blackhat conference.
    This allows an attacker to perform undetected man-in-the-middle attacks
    via a crafted ITU-T X.509 certificate with an injected null byte in the
    subjectAltName or Common Name fields.
    
    Note, as a fetchmail user you should always use strict certificate
    validation through either these option combinations:
        sslcertck ssl sslproto ssl3    (for service on SSL-wrapped ports)
    or
        sslcertck sslproto tls1        (for STARTTLS-based services)
    
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 6.3.6-1etch2.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 6.3.9~rc2-4+lenny1.
    
    For the testing distribution (squeeze), this problem will be fixed soon.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 6.3.9~rc2-6.
    
    
    We recommend that you upgrade your fetchmail packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc
        Size/MD5 checksum:      882 5d96480a102ad30f66dbac6bcbae1037
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
        Size/MD5 checksum:  1680200 04175459cdf32fdb10d9e8fc46b633c3
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz
        Size/MD5 checksum:    45665 a51b0544434e51577863032336812bd6
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb
        Size/MD5 checksum:    61444 f65648771182f763268cbc7fd643da8b
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb
        Size/MD5 checksum:   666592 289c6c238d70e71771d5c0c87b764a87
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb
        Size/MD5 checksum:   649604 8d2e4ff30c29e9e67831ec9aab5a567e
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb
        Size/MD5 checksum:   645170 928f041ad7b0311ac0188e4e6ca6256f
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb
        Size/MD5 checksum:   658340 511591dee94637fe440c6a737a3fd880
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb
        Size/MD5 checksum:   642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb
        Size/MD5 checksum:   700924 6d7f77eca56a191e0fab3bdf8fa98c37
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb
        Size/MD5 checksum:   647274 771f97aa2d2029135185afcbf05b605c
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb
        Size/MD5 checksum:   647026 f2ac2a5ce6f648b7d88948530456d02d
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb
        Size/MD5 checksum:   640688 974ffde76095f1fa184cf1eced7b7dae
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc
        Size/MD5 checksum:     1375 39a3debdf4c4cf3e313c75e5688209ca
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz
        Size/MD5 checksum:    46891 a2715b1768546ea2d7a3c8a518aa8188
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
        Size/MD5 checksum:  1711087 200ece6f73ac28ccda7aea42ea4e492d
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb
        Size/MD5 checksum:    63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb
        Size/MD5 checksum:   680224 1a2ddefc8a90da5e2d31291f1101442c
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb
        Size/MD5 checksum:   668616 65015cc17b556da2e44ef1496171e9fd
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb
        Size/MD5 checksum:   663090 4b4fccf839ee8b6f1f94a997ac911179
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb
        Size/MD5 checksum:   662018 837c3029b01e180f2447ff0f19555dc5
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb
        Size/MD5 checksum:   673570 7dbce7d81c38e4fa9562626610b09f65
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb
        Size/MD5 checksum:   657844 a9e357f91278e9108018725c96eeb8ae
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb
        Size/MD5 checksum:   719116 4b2f362a01870c0770f010bcc5012aad
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb
        Size/MD5 checksum:   664870 2abf34330924241ce890b703709c5895
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb
        Size/MD5 checksum:   663906 88af289787ec5fd46c83f28a0de65849
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb
        Size/MD5 checksum:   669542 7c9a426df9ef71c0420ccb030e5d422b
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb
        Size/MD5 checksum:   666976 6aa0fd370bd06f3c39d9230c82cde208
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb
        Size/MD5 checksum:   658912 699f23466f0003f7f38f02111d5a3363
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":51.32,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.47,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"26","type":"x","order":"3","pct":34.21,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.