<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: Fetchmail 6.2.4 and earlier remote dennial of service



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: Fetchmail 6.2.4 and earlier remote dennial 
of service 
Advisory number:        CSSA-2004-004.0
Issue date:             2004 February 19
Cross reference:        sr886097 fz528427 erg712468 CAN-2003-0792
______________________________________________________________________________


1. Problem Description

        Fetchmail 6.2.4 and earlier does not properly allocate memory for
        long lines, which allows remote attackers to cause a denial of
        service (crash) via a certain email. 

        Fetchmail is a full-featured, robust, well-documented remote-mail 
        retrieval and forwarding utility intended to be used over on-
        demand TCP/IP links (such as SLIP or PPP connections). It supports 
        every remote-mail protocol now in use on the Internet: POP2, POP3, 
        RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even 
        support IPv6 and IPSEC. 

        Fetchmail retrieves mail from remote mail servers and forwards it 
        via SMTP, so it can then be read by normal mail user agents such as 
        mutt, elm(1) or BSD Mail. It allows all your system MTA's filtering, 
        forwarding, and aliasing facilities to work just as they would on 
        normal mail. 

        The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
        assigned the name CAN-2003-0792 to this issue.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to fetchmail-6.2.5-1.i386.rpm
                                        prior to fetchmailconf-6.2.5-1.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to fetchmail-6.2.5-1.i386.rpm
                                        prior to fetchmailconf-6.2.5-1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-004.0/RPMS

        4.2 Packages

        60ded90624478cf42bbafdb3530b1431        fetchmail-6.2.5-1.i386.rpm
        b5812d5463a264a37dbeac6a3f3084f0        fetchmailconf-6.2.5-1.i386.rpm

        4.3 Installation

        rpm -Fvh fetchmail-6.2.5-1.i386.rpm
        rpm -Fvh fetchmailconf-6.2.5-1.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-004.0/SRPMS

        4.5 Source Packages

        f7fea66f02c98436847aab205922a180        fetchmail-6.2.5-1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-004.0/RPMS

        5.2 Packages

        195568e0570b8e0682d93b3d27a4d3de        fetchmail-6.2.5-1.i386.rpm
        7d81aed49392ce9df04ae4b421fd80e7        fetchmailconf-6.2.5-1.i386.rpm

        5.3 Installation

        rpm -Fvh fetchmail-6.2.5-1.i386.rpm
        rpm -Fvh fetchmailconf-6.2.5-1.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-004.0/SRPMS

        5.5 Source Packages

        3035d06b88de3840707e2e180304ee53        fetchmail-6.2.5-1.src.rpm


6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0792

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr886097 fz528427
        erg712468.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgements

        SCO would like to thank Dave Jones and Mark Cox at Red Hat.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFANTycbluZssSXDTERAvRaAJ4m+WaovTwGUSZQgNYZBayCPJ/h0gCglk0s
lm/Co3aOVRP2TnFXpasf5Oc=
=odDf
-----END PGP SIGNATURE-----