Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2310 getmail4 security update 8 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: getmail4 Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-7275 CVE-2014-7274 CVE-2014-7273 Original Bulletin: http://www.debian.org/security/2014/dsa-3091 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running getmail4 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3091-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano December 07, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : getmail4 CVE ID : CVE-2014-7273 CVE-2014-7274 CVE-2014-7275 Debian Bug : 766670 Several vulnerabilities have been discovered in getmail4, a mail retriever with support for POP3, IMAP4 and SDPS, that could allow man-in-the-middle attacks. CVE-2014-7273 The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. CVE-2014-7274 The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. CVE-2014-7275 The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate. For the stable distribution (wheezy), these problems have been fixed in version 4.46.0-1~deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 4.46.0-1. For the unstable distribution (sid), these problems have been fixed in version 4.46.0-1. We recommend that you upgrade your getmail4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUhHzhAAoJEI9hzo2UfbETr1QP/isuRRWrrQPc2NiG7uLMDHwZ 7BRv//sLKpydFHLBrv6HSNo+o/6ijI8XI8JSaq4li9zZsXp6a0uiGOkm5zRXGAaA kdFgGTeLYXhdECFeVu2ITobKWc1gx0Eq0prsf1nFfOWnNsOqfeq6xzj0zlHszWsZ TN3eanmN47zVJ5cdEjlMick3LyGzkFFju+s5/Rlck8UkplBXM0+gpFbyaTJzpFuc iFHPHSmPGADeLKre4DuZXSVsvDvfFJWYyGpVB7APmwMqDao6usYzE+ML98Z6aoj8 YeawH67YypWyeccLvi1bZvb+9hr8iaReqRpFSADVVo/m7RcPrmAnxSgLQHItS8AT E7BwM4KCXbRyj7pTZfBN4YTwhCqoXKZCojERg+9PuM068tJe+GzcNFfvl0Ygli7Y m6u7DxgeMs9YEfwqbZzIbtqK0w4uVdt/kGpYw8KG/FeZrYjXu602wWrUfVQd5mDH XB0Kt56sH7KTUcjdQB2QNjNY4NjIR3k4CWUQOZ/2xSKZUWiYLqTfNO1uSkLhLWv/ VulZZU/iIdlz2X1MRGZ8ohH271No4Q9Bz+/6H6qIXJpyVax3LDewLRg5aWliemyo jU69x4uwZIarB+LhuRVnAONAnRybQQGJH1bXlDyeQP9++QvP9V0MEYoONujLPMUE CPMvXGkJd5PSFn/iVQrc =OzmR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVITzGRLndAQH1ShLAQJUSg/8C5Ym0otD+CYoIZ96gIilsx0GiJqH/nKB 8FEp78AHgkaEne6/kEsvLsWt81cYC7JvrxE2kdagHu0NxuNt5J+cHunNd3Nx5kB8 qOOb9VYCoZx9wn8ebn1rgNp9vsVoX7AzWSu7C5qmUV9IutshksdBcWVGfkLO4D8i F38FLrOIV+VQReg01p6A8GrdCp9iIKxtOWcC5JGe26TL0AKvXeJ8vxFzCck1C4Xo Z4HbxgOCc33wipk+H+zZqgNhDg7HYoJANTqeOGQ5UhTwTv2oKJoNrk279aEwMdyf V30L12Ki8Woz7lOTYKE1/bwydqs+beaqXJnf4jNNSa3vkijoJWVqbhDjidl9IRnl fPU8/tJ9bekiIOzz/Pig5KpqHrKD194TkEVe9QvbBJGQ5DCokmYTzkR7ZgQ21Gb6 b7X9pphkP7zJWY5X2B+c6qdOAstVRCqIJbcnokztut5hOx2pK/GhT1991Td9G8mT 7o4V/QaxgbL/w640Qg6rPHqvtaM5L9lDJ1YkQmDnfLGtFHbbBs/UnbYBhPZuyLnI D9iesiStjyoZc7c0Nb4Bb6vtRSvMwYMi0/QePJx5HdfCNUYar3L4nP3CQQloKJ85 73q4iDzoNlOlusN8o3o4tHrjzt1HApvBtOgtc7IvQk3Q3HMuQkXZkPnBTzWfEvv8 LWRSgpxNE1c= =XEh/ -----END PGP SIGNATURE-----