<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2005:209 - Updated fetchmail packages fixes fetchmailconf vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:209
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : fetchmail
 Date    : November 9, 2005
 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Thomas Wolff and Miloslav Trmac discovered a race condition in the
 fetchmailconf program.  fetchmailconf would create the initial output
 configuration file with insecure permissions and only after writing
 would it change permissions to be more restrictive.  During that time,
 passwords and other data could be exposed to other users on the system
 unless the user used a more restrictive umask setting.
 
 As well, the Mandriva Linux 2006 packages did not contain the patch
 that corrected the issues fixed in MDKSA-2005:126, namely a buffer
 overflow in fetchmail's POP3 client (CAN-2005-2355).
 
 The updated packages have been patched to address this issue, and the
 Mandriva 2006 packages have also been patched to correct CAN-2005-2355.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2355
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.1:
 de0b7fb59640e490441fe4a48d11954d  10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.i586.rpm
 84c6cb9619cb5b4ef74ade674845f51e  
10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.i586.rpm
 1f0b8136bcd4caeae75542ff54d78371  
10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.i586.rpm
 e9309094431f4983fad035cbc1eb566b  10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

 Mandriva Linux 10.1/X86_64:
 32720e7378b6b85ae3a1287d5ff558e3  
x86_64/10.1/RPMS/fetchmail-6.2.5-5.2.101mdk.x86_64.rpm
 c46469b4d83446e861b8db3b54c60f6d  
x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.2.101mdk.x86_64.rpm
 5ea98645d8fd15f30c7060576d220518  
x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.2.101mdk.x86_64.rpm
 e9309094431f4983fad035cbc1eb566b  
x86_64/10.1/SRPMS/fetchmail-6.2.5-5.2.101mdk.src.rpm

 Mandriva Linux 10.2:
 59614bb2b9bd76c93300d3459bd908e8  
10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.i586.rpm
 096f60340d1d71ea15290534a5b1cfc9  
10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.i586.rpm
 c40c436ab5751c4599caefc8cd28940f  
10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.i586.rpm
 1a7299f4d74a9d0aa89ce25871644616  
10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 f9290067e4f4e039753d3b6e7eead02d  
x86_64/10.2/RPMS/fetchmail-6.2.5-10.3.102mdk.x86_64.rpm
 813f46e3d0d3413b4b4c5122b5ff8bfc  
x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.3.102mdk.x86_64.rpm
 820953daf6e6c69f58a1e3380cb60369  
x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.3.102mdk.x86_64.rpm
 1a7299f4d74a9d0aa89ce25871644616  
x86_64/10.2/SRPMS/fetchmail-6.2.5-10.3.102mdk.src.rpm

 Mandriva Linux 2006.0:
 b11365c74030b1075435ce6c9e0bda88  
2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.i586.rpm
 f24c20a001b8df396355bae70166c051  
2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.i586.rpm
 0d86053a3e69cd9bbf772664eec6236c  
2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.i586.rpm
 5781cf14f33e52da296bb4b89f811812  
2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 dd6f3321e9ff2f6b767c9c2940c0379a  
x86_64/2006.0/RPMS/fetchmail-6.2.5-11.1.20060mdk.x86_64.rpm
 4400d9a3f5e6489bfd40c3185d98970a  
x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.1.20060mdk.x86_64.rpm
 3b62ae9bcc9fbaa14198b898774b7cec  
x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.1.20060mdk.x86_64.rpm
 5781cf14f33e52da296bb4b89f811812  
x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.1.20060mdk.src.rpm

 Corporate Server 2.1:
 ce7a54747ca8339473335f6b588bc5ce  
corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.i586.rpm
 7b44a889fef845ae5db3290dc9b866c9  
corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.i586.rpm
 73d527b67a4854fcf9fe9e8b27232fbe  
corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.i586.rpm
 2a20268d079b94fbadafd29c3253504f  
corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 173c6aeda81987ac1820ea7865ca1942  
x86_64/corporate/2.1/RPMS/fetchmail-6.1.0-1.4.C21mdk.x86_64.rpm
 9624c2cf97df1588c14a3048899b571a  
x86_64/corporate/2.1/RPMS/fetchmailconf-6.1.0-1.4.C21mdk.x86_64.rpm
 e8922f5da70e12576c9feac6d5998913  
x86_64/corporate/2.1/RPMS/fetchmail-daemon-6.1.0-1.4.C21mdk.x86_64.rpm
 2a20268d079b94fbadafd29c3253504f  
x86_64/corporate/2.1/SRPMS/fetchmail-6.1.0-1.4.C21mdk.src.rpm

 Corporate 3.0:
 03913f6670b6de3b9e1c45e35ae0a186  
corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.i586.rpm
 fb46ec776a21f713f6fde14b575d5628  
corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.i586.rpm
 ded6e5340284869543be18b5b971be76  
corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.i586.rpm
 b54d99d537e7317aa590e6aae57df78b  
corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 d4d0d8a6995d5d209a508984b3b0d7d8  
x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.2.C30mdk.x86_64.rpm
 6bf1d33980eb83ec0434a9fbdae1014f  
x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.2.C30mdk.x86_64.rpm
 62db83cb99470473cf1718fc38aaedc6  
x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.2.C30mdk.x86_64.rpm
 b54d99d537e7317aa590e6aae57df78b  
x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDcnQPmqjQ0CJFipgRAk6dAJ9GH/E98V/wHxCv2SufVnNDGJhHMQCfUpeJ
douSyj4gSpEu6e2KCnT8tHk=
=Gpyr
-----END PGP SIGNATURE-----