Ubuntu 816-1: fetchmail vulnerability

    Date12 Aug 2009
    CategoryUbuntu
    39
    Posted ByLinuxSecurity Advisories
    Moxie Marlinspike discovered that fetchmail did not properly handlecertificates with NULL characters in the certificate name. A remoteattacker could exploit this to perform a man in the middle attack toview sensitive information or alter encrypted communications. [More...]
    ===========================================================
    Ubuntu Security Notice USN-816-1            August 12, 2009
    fetchmail vulnerability
    CVE-2009-2666
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    Ubuntu 9.04
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      fetchmail                       6.3.2-2ubuntu2.3
    
    Ubuntu 8.04 LTS:
      fetchmail                       6.3.8-10ubuntu1.1
    
    Ubuntu 8.10:
      fetchmail                       6.3.8-11ubuntu3.1
    
    Ubuntu 9.04:
      fetchmail                       6.3.9~rc2-4ubuntu1.1
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    Moxie Marlinspike discovered that fetchmail did not properly handle
    certificates with NULL characters in the certificate name. A remote
    attacker could exploit this to perform a man in the middle attack to
    view sensitive information or alter encrypted communications.
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.diff.gz
          Size/MD5:   191107 9d0c089074ea79db248cca36714e56cd
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3.dsc
          Size/MD5:      812 68c7ce726e683390daf0199b2b646865
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2.orig.tar.gz
          Size/MD5:  1522264 a661735496077232acedb82a901fa499
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.2-2ubuntu2.3_all.deb
          Size/MD5:   114946 01a751405f08024ed08e0ec1b06b6213
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_amd64.deb
          Size/MD5:   347012 32a3fff1c437774c2480646536b9e716
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_i386.deb
          Size/MD5:   333650 0eed4e07d723dba7ca14210e80e59c7a
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_powerpc.deb
          Size/MD5:   345698 ee714084a44f35a1c7bc9916691ccea2
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.2-2ubuntu2.3_sparc.deb
          Size/MD5:   339820 47b3f94dc05000e46489fddd30eea5be
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.diff.gz
          Size/MD5:    63885 e305fcae9eb86e0fce57c1e0467db13e
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1.dsc
          Size/MD5:     1080 49e91c3a8ed18d928a3002279ac61caa
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
          Size/MD5:  1691723 1b84621072b4f906b5686a4fbae0b1d7
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-10ubuntu1.1_all.deb
          Size/MD5:    63906 e40223bb9b433719091d0d9de835cc1e
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_amd64.deb
          Size/MD5:   385906 154e459bf59e28a44750bd392ddd2ca9
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_i386.deb
          Size/MD5:   373120 dcb601f22e56bf36f2104b359fbc1c9d
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_lpia.deb
          Size/MD5:   373342 f1a37e39a5dc46fdeb25ece934faff56
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_powerpc.deb
          Size/MD5:   388680 2f669c26bd5093201815241caae577a0
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-10ubuntu1.1_sparc.deb
          Size/MD5:   377326 b8f0ba3a4ac9513ff931cb9e9ddeed0c
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.diff.gz
          Size/MD5:    65008 ae5fa277a18f59b0e2af5119b21cc962
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1.dsc
          Size/MD5:     1488 c2dbe38ccbcdcb60260fefd9fcc47608
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8.orig.tar.gz
          Size/MD5:  1691723 1b84621072b4f906b5686a4fbae0b1d7
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.8-11ubuntu3.1_all.deb
          Size/MD5:    64354 2b0529ffa107f1622b7b559dbcea19f3
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_amd64.deb
          Size/MD5:   387888 93842d6ea6f4544b58976d6b7329b65c
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_i386.deb
          Size/MD5:   373930 968ae9e9dac23d81c6d63eac91590a49
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_lpia.deb
          Size/MD5:   373726 a12e3bf5a1b691e2435f8b91b028b3d2
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_powerpc.deb
          Size/MD5:   388470 d7da47c31d27d3edbb5c8e2b0b308909
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.8-11ubuntu3.1_sparc.deb
          Size/MD5:   380018 b4015f4a8b8e67c1b62231033b736bba
    
    Updated packages for Ubuntu 9.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.diff.gz
          Size/MD5:    49605 3bbf57ecf060a6254b71bc73b46c429e
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1.dsc
          Size/MD5:     1505 3d4d55b89631a10be608739db0488d00
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
          Size/MD5:  1711087 200ece6f73ac28ccda7aea42ea4e492d
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.3.9~rc2-4ubuntu1.1_all.deb
          Size/MD5:    64940 68cf588634d7ab15120f0fc73f8cbb73
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_amd64.deb
          Size/MD5:   391020 40816e1ae515f598756b55ec23c38cf6
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_i386.deb
          Size/MD5:   377636 70682ec1fbf0fc1692f83c15bdf593e7
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_lpia.deb
          Size/MD5:   377928 986f144b2162feb7664b9f5c39047035
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_powerpc.deb
          Size/MD5:   391402 d69de1a36758e6b35d46e7283f555b61
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/f/fetchmail/fetchmail_6.3.9~rc2-4ubuntu1.1_sparc.deb
          Size/MD5:   384332 eabd08fec6c574ad615e0dd38c0961e6
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.