===================================================================== CERT-Renater Note d'Information No. 2006/VULN255 _____________________________________________________________________ DATE : 19/05/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running fetchmail. ====================================================================== --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated fetchmail packages fix security issues Advisory ID: FLSA:164512 Issue date: 2006-05-12 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2003-0792 CVE-2005-2335 CVE-2005-3088 CVE-2005-4348 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated fetchmail packages that fix security flaws are now available. Fetchmail is a remote mail retrieval and forwarding utility. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way fetchmail allocates memory for long lines. A remote attacker could cause a denial of service by sending a specially- crafted email. The Common Vulnerabilities and Exposures project has assigned the name CVE-2003-0792 to this issue. A buffer overflow was discovered in fetchmail's POP3 client. A malicious server could cause send a carefully crafted message UID and cause fetchmail to crash or potentially execute arbitrary code as the user running fetchmail. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2335 to this issue. A bug was found in the way the fetchmailconf utility program writes configuration files. The default behavior of fetchmailconf is to write a configuration file which may be world readable for a short period of time. This configuration file could provide passwords to a local malicious attacker within the short window before fetchmailconf sets secure permissions. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3088 to this issue. A bug was found when fetchmail is running in multidrop mode. A malicious mail server can cause a denial of service by sending a message without headers. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-4348 to this issue. Users of fetchmail should update to this erratum package which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/fetchmail-6.2.5-2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/fetchmail-6.2.5-2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 8b49bca60dc8bcbba7634b8e0559c82fbeef3db5 redhat/7.3/updates/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm 9c9c861757b4b8b2866f1d0e91dbc16d5037d956 redhat/7.3/updates/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm 9cca4f274cb21928d459ed25883e5d3c1f758f10 redhat/7.3/updates/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm 0fd22e51f83aab97d8c1790ed95423882f01aa9b redhat/9/updates/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm 7d2eb582d0aba96e07710eb89cd8c4c41c4530d3 redhat/9/updates/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm 5df158a0ba6bb0c323a75464e04b11e246dd8f98 fedora/1/updates/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm 927ed2783b8b4a29d0669e7936c1d27fd05564eb fedora/1/updates/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm 418f533e86f4c04a5fc41235b0618db470a63471 fedora/2/updates/i386/fetchmail-6.2.5-2.2.legacy.i386.rpm d5a948f76f51032c05ab44b0ca7e47e36f7e4042 fedora/2/updates/SRPMS/fetchmail-6.2.5-2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================