From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1852-1
[email protected] http://www.debian.org/security/ Nico Golde August 7th, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : fetchmail
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2666
It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate
validation through either these option combinations:
sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports)
or
sslcertck sslproto tls1 (for STARTTLS-based services)
For the oldstable distribution (etch), this problem has been fixed in
version 6.3.6-1etch2.
For the stable distribution (lenny), this problem has been fixed in
version 6.3.9~rc2-4+lenny1.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 6.3.9~rc2-6.
We recommend that you upgrade your fetchmail packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc
Size/MD5 checksum: 882 5d96480a102ad30f66dbac6bcbae1037
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
Size/MD5 checksum: 1680200 04175459cdf32fdb10d9e8fc46b633c3
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz
Size/MD5 checksum: 45665 a51b0544434e51577863032336812bd6
Architecture independent packages:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb
Size/MD5 checksum: 61444 f65648771182f763268cbc7fd643da8b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb
Size/MD5 checksum: 666592 289c6c238d70e71771d5c0c87b764a87
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb
Size/MD5 checksum: 649604 8d2e4ff30c29e9e67831ec9aab5a567e
arm architecture (ARM)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb
Size/MD5 checksum: 645170 928f041ad7b0311ac0188e4e6ca6256f
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb
Size/MD5 checksum: 658340 511591dee94637fe440c6a737a3fd880
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb
Size/MD5 checksum: 642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb
Size/MD5 checksum: 700924 6d7f77eca56a191e0fab3bdf8fa98c37
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb
Size/MD5 checksum: 647274 771f97aa2d2029135185afcbf05b605c
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb
Size/MD5 checksum: 647026 f2ac2a5ce6f648b7d88948530456d02d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb
Size/MD5 checksum: 640688 974ffde76095f1fa184cf1eced7b7dae
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc
Size/MD5 checksum: 1375 39a3debdf4c4cf3e313c75e5688209ca
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz
Size/MD5 checksum: 46891 a2715b1768546ea2d7a3c8a518aa8188
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
Size/MD5 checksum: 1711087 200ece6f73ac28ccda7aea42ea4e492d
Architecture independent packages:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb
Size/MD5 checksum: 63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb
Size/MD5 checksum: 680224 1a2ddefc8a90da5e2d31291f1101442c
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb
Size/MD5 checksum: 668616 65015cc17b556da2e44ef1496171e9fd
arm architecture (ARM)
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)