Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1154 New fetchmail packages fix SSL certificate verification weakness 10 August 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: fetchmail Publisher: Debian Operating System: Debian GNU/Linux 4 Debian GNU/Linux 5 Impact/Access: Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2009-2666 Reference: ESB-2009.1142 Original Bulletin: http://www.debian.org/security/2009/dsa-1852 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA-1852-1 security@debian.org http://www.debian.org/security/ Nico Golde August 7th, 2009 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : fetchmail Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2009-2666 It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services) For the oldstable distribution (etch), this problem has been fixed in version 6.3.6-1etch2. For the stable distribution (lenny), this problem has been fixed in version 6.3.9~rc2-4+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 6.3.9~rc2-6. We recommend that you upgrade your fetchmail packages. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Debian (oldstable) - - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc Size/MD5 checksum: 882 5d96480a102ad30f66dbac6bcbae1037 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz Size/MD5 checksum: 1680200 04175459cdf32fdb10d9e8fc46b633c3 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz Size/MD5 checksum: 45665 a51b0544434e51577863032336812bd6 Architecture independent packages: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb Size/MD5 checksum: 61444 f65648771182f763268cbc7fd643da8b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb Size/MD5 checksum: 666592 289c6c238d70e71771d5c0c87b764a87 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb Size/MD5 checksum: 649604 8d2e4ff30c29e9e67831ec9aab5a567e arm architecture (ARM) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb Size/MD5 checksum: 645170 928f041ad7b0311ac0188e4e6ca6256f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb Size/MD5 checksum: 658340 511591dee94637fe440c6a737a3fd880 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb Size/MD5 checksum: 642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb Size/MD5 checksum: 700924 6d7f77eca56a191e0fab3bdf8fa98c37 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb Size/MD5 checksum: 647274 771f97aa2d2029135185afcbf05b605c s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb Size/MD5 checksum: 647026 f2ac2a5ce6f648b7d88948530456d02d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb Size/MD5 checksum: 640688 974ffde76095f1fa184cf1eced7b7dae Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Debian (stable) - - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc Size/MD5 checksum: 1375 39a3debdf4c4cf3e313c75e5688209ca http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz Size/MD5 checksum: 46891 a2715b1768546ea2d7a3c8a518aa8188 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz Size/MD5 checksum: 1711087 200ece6f73ac28ccda7aea42ea4e492d Architecture independent packages: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb Size/MD5 checksum: 63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb Size/MD5 checksum: 680224 1a2ddefc8a90da5e2d31291f1101442c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb Size/MD5 checksum: 668616 65015cc17b556da2e44ef1496171e9fd arm architecture (ARM) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb Size/MD5 checksum: 663090 4b4fccf839ee8b6f1f94a997ac911179 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb Size/MD5 checksum: 662018 837c3029b01e180f2447ff0f19555dc5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb Size/MD5 checksum: 673570 7dbce7d81c38e4fa9562626610b09f65 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb Size/MD5 checksum: 657844 a9e357f91278e9108018725c96eeb8ae ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb Size/MD5 checksum: 719116 4b2f362a01870c0770f010bcc5012aad mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb Size/MD5 checksum: 664870 2abf34330924241ce890b703709c5895 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb Size/MD5 checksum: 663906 88af289787ec5fd46c83f28a0de65849 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb Size/MD5 checksum: 669542 7c9a426df9ef71c0420ccb030e5d422b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb Size/MD5 checksum: 666976 6aa0fd370bd06f3c39d9230c82cde208 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb Size/MD5 checksum: 658912 699f23466f0003f7f38f02111d5a3363 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp8SOQACgkQHYflSXNkfP+eXQCcDixwhyFyyKjaS34HJEe9g71L XKoAn3eTMd0qbvNi/4AVoGIBIjTDALlh =O0zh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKf3aFNVH5XJJInbgRAl9nAJ0d48U72friU3kK2wmukBNsEu16tACfcORl FETPcuO4u0SqAWuFQB/TeR0= =darA -----END PGP SIGNATURE-----