Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1852-1 fetchmail -- insufficient input validation

Related Vulnerabilities: CVE-2009-2666  

It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services) For the oldstable distribution (etch), this problem has been fixed in version 6.3.6-1etch2. For the stable distribution (lenny), this problem has been fixed in version 6.3.9~rc2-4+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 6.3.9~rc2-6. We recommend that you upgrade your fetchmail packages.

Source

Debian Security Advisory

DSA-1852-1 fetchmail -- insufficient input validation

Date Reported:
07 Aug 2009
Affected Packages:
fetchmail
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-2666.
More information:

It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields.

Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services)

For the oldstable distribution (etch), this problem has been fixed in version 6.3.6-1etch4.

For the stable distribution (lenny), this problem has been fixed in version 6.3.9~rc2-4+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 6.3.9~rc2-6.

We recommend that you upgrade your fetchmail packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4.dsc
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4.diff.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_ia64.deb
PowerPC:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch4_sparc.deb

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started