Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1154
New fetchmail packages fix SSL certificate verification weakness
10 August 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: fetchmail
Publisher: Debian
Operating System: Debian GNU/Linux 4
Debian GNU/Linux 5
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2666
Reference: ESB-2009.1142
Original Bulletin:
http://www.debian.org/security/2009/dsa-1852
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA-1852-1 security@debian.org
http://www.debian.org/security/ Nico Golde
August 7th, 2009 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : fetchmail
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2666
It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the
subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate
validation through either these option combinations:
sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
or
sslcertck sslproto tls1 (for STARTTLS-based services)
For the oldstable distribution (etch), this problem has been fixed in
version 6.3.6-1etch2.
For the stable distribution (lenny), this problem has been fixed in
version 6.3.9~rc2-4+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 6.3.9~rc2-6.
We recommend that you upgrade your fetchmail packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Debian (oldstable)
- - ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc
Size/MD5 checksum: 882 5d96480a102ad30f66dbac6bcbae1037
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
Size/MD5 checksum: 1680200 04175459cdf32fdb10d9e8fc46b633c3
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz
Size/MD5 checksum: 45665 a51b0544434e51577863032336812bd6
Architecture independent packages:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb
Size/MD5 checksum: 61444 f65648771182f763268cbc7fd643da8b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb
Size/MD5 checksum: 666592 289c6c238d70e71771d5c0c87b764a87
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb
Size/MD5 checksum: 649604 8d2e4ff30c29e9e67831ec9aab5a567e
arm architecture (ARM)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb
Size/MD5 checksum: 645170 928f041ad7b0311ac0188e4e6ca6256f
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb
Size/MD5 checksum: 658340 511591dee94637fe440c6a737a3fd880
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb
Size/MD5 checksum: 642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb
Size/MD5 checksum: 700924 6d7f77eca56a191e0fab3bdf8fa98c37
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb
Size/MD5 checksum: 647274 771f97aa2d2029135185afcbf05b605c
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb
Size/MD5 checksum: 647026 f2ac2a5ce6f648b7d88948530456d02d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb
Size/MD5 checksum: 640688 974ffde76095f1fa184cf1eced7b7dae
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc
Size/MD5 checksum: 1375 39a3debdf4c4cf3e313c75e5688209ca
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz
Size/MD5 checksum: 46891 a2715b1768546ea2d7a3c8a518aa8188
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
Size/MD5 checksum: 1711087 200ece6f73ac28ccda7aea42ea4e492d
Architecture independent packages:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb
Size/MD5 checksum: 63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb
Size/MD5 checksum: 680224 1a2ddefc8a90da5e2d31291f1101442c
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb
Size/MD5 checksum: 668616 65015cc17b556da2e44ef1496171e9fd
arm architecture (ARM)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb
Size/MD5 checksum: 663090 4b4fccf839ee8b6f1f94a997ac911179
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb
Size/MD5 checksum: 662018 837c3029b01e180f2447ff0f19555dc5
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb
Size/MD5 checksum: 673570 7dbce7d81c38e4fa9562626610b09f65
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb
Size/MD5 checksum: 657844 a9e357f91278e9108018725c96eeb8ae
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb
Size/MD5 checksum: 719116 4b2f362a01870c0770f010bcc5012aad
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb
Size/MD5 checksum: 664870 2abf34330924241ce890b703709c5895
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb
Size/MD5 checksum: 663906 88af289787ec5fd46c83f28a0de65849
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb
Size/MD5 checksum: 669542 7c9a426df9ef71c0420ccb030e5d422b
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb
Size/MD5 checksum: 666976 6aa0fd370bd06f3c39d9230c82cde208
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb
Size/MD5 checksum: 658912 699f23466f0003f7f38f02111d5a3363
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp8SOQACgkQHYflSXNkfP+eXQCcDixwhyFyyKjaS34HJEe9g71L
XKoAn3eTMd0qbvNi/4AVoGIBIjTDALlh
=O0zh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKf3aFNVH5XJJInbgRAl9nAJ0d48U72friU3kK2wmukBNsEu16tACfcORl
FETPcuO4u0SqAWuFQB/TeR0=
=darA
-----END PGP SIGNATURE-----