MDKSA-2005:209 - Updated fetchmail packages fixes fetchmailconf vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2005:209
http://www.mandriva.com/security/
_______________________________________________________________________
Package : fetchmail
Date : November 9, 2005
Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
_______________________________________________________________________
Problem Description:
Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. fetchmailconf would create the initial output
configuration file with insecure permissions and only after writing
would it change permissions to be more restrictive. During that time,
passwords and other data could be exposed to other users on the system
unless the user used a more restrictive umask setting.
As well, the Mandriva Linux 2006 packages did not contain the patch
that corrected the issues fixed in MDKSA-2005:126, namely a buffer
overflow in fetchmail's POP3 client (CAN-2005-2355).
The updated packages have been patched to address this issue, and the
Mandriva 2006 packages have also been patched to correct CAN-2005-2355.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2355
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.1:
de0b7fb59640e490441fe4a48d11954d 10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.i586.rpm
84c6cb9619cb5b4ef74ade674845f51e
10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.i586.rpm
1f0b8136bcd4caeae75542ff54d78371
10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.i586.rpm
e9309094431f4983fad035cbc1eb566b 10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm
Mandriva Linux 10.1/X86_64:
32720e7378b6b85ae3a1287d5ff558e3
x86_64/10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.x86_64.rpm
c46469b4d83446e861b8db3b54c60f6d
x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.x86_64.rpm
5ea98645d8fd15f30c7060576d220518
x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.x86_64.rpm
e9309094431f4983fad035cbc1eb566b
x86_64/10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm
Mandriva Linux 10.2:
59614bb2b9bd76c93300d3459bd908e8
10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.i586.rpm
096f60340d1d71ea15290534a5b1cfc9
10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.i586.rpm
c40c436ab5751c4599caefc8cd28940f
10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.i586.rpm
1a7299f4d74a9d0aa89ce25871644616
10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
f9290067e4f4e039753d3b6e7eead02d
x86_64/10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.x86_64.rpm
813f46e3d0d3413b4b4c5122b5ff8bfc
x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.x86_64.rpm
820953daf6e6c69f58a1e3380cb60369
x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.x86_64.rpm
1a7299f4d74a9d0aa89ce25871644616
x86_64/10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm
Mandriva Linux 2006.0:
b11365c74030b1075435ce6c9e0bda88
2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.i586.rpm
f24c20a001b8df396355bae70166c051
2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.i586.rpm
0d86053a3e69cd9bbf772664eec6236c
2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.i586.rpm
5781cf14f33e52da296bb4b89f811812
2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
dd6f3321e9ff2f6b767c9c2940c0379a
x86_64/2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.x86_64.rpm
4400d9a3f5e6489bfd40c3185d98970a
x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.x86_64.rpm
3b62ae9bcc9fbaa14198b898774b7cec
x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.x86_64.rpm
5781cf14f33e52da296bb4b89f811812
x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm
Corporate Server 2.1:
ce7a54747ca8339473335f6b588bc5ce
corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.i586.rpm
7b44a889fef845ae5db3290dc9b866c9
corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.i586.rpm
73d527b67a4854fcf9fe9e8b27232fbe
corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.i586.rpm
2a20268d079b94fbadafd29c3253504f
corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
173c6aeda81987ac1820ea7865ca1942
x86_64/corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.x86_64.rpm
9624c2cf97df1588c14a3048899b571a
x86_64/corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.x86_64.rpm
e8922f5da70e12576c9feac6d5998913
x86_64/corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.x86_64.rpm
2a20268d079b94fbadafd29c3253504f
x86_64/corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm
Corporate 3.0:
03913f6670b6de3b9e1c45e35ae0a186
corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.i586.rpm
fb46ec776a21f713f6fde14b575d5628
corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.i586.rpm
ded6e5340284869543be18b5b971be76
corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.i586.rpm
b54d99d537e7317aa590e6aae57df78b
corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm
Corporate 3.0/X86_64:
d4d0d8a6995d5d209a508984b3b0d7d8
x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.x86_64.rpm
6bf1d33980eb83ec0434a9fbdae1014f
x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.x86_64.rpm
62db83cb99470473cf1718fc38aaedc6
x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.x86_64.rpm
b54d99d537e7317aa590e6aae57df78b
x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDcnQPmqjQ0CJFipgRAk6dAJ9GH/E98V/wHxCv2SufVnNDGJhHMQCfUpeJ
douSyj4gSpEu6e2KCnT8tHk=
=Gpyr
-----END PGP SIGNATURE-----