GLSA 200701-13: Fetchmail: Denial of Service and password disclosure
Severity: | normal |
Title: | Fetchmail: Denial of Service and password disclosure |
Date: | 01/22/2007 |
Bugs: |
|
ID: | 200701-13 |
Synopsis
Fetchmail has been found to have numerous vulnerabilities allowing for Denial of Service and password disclosure.Background
Fetchmail is a remote mail retrieval and forwarding utility.
Affected packages
Package | Vulnerable | Unaffected | Architecture(s) |
---|---|---|---|
net-mail/fetchmail | < 6.3.6 | >= 6.3.6 | All supported architectures |
Description
Neil Hoggarth has discovered that when delivering messages to a message delivery agent by means of the "mda" option, Fetchmail passes a NULL pointer to the ferror() and fflush() functions when refusing a message. Isaac Wilcox has discovered numerous means of plain-text password disclosure due to errors in secure connection establishment.
Impact
An attacker could deliver a message via Fetchmail to a message delivery agent configured to refuse the message, and crash the Fetchmail process. SMTP and LMTP delivery modes are not affected by this vulnerability. An attacker could also perform a Man-in-the-Middle attack, and obtain plain-text authentication credentials of users connecting to a Fetchmail process.
Workaround
There is no known workaround at this time.
Resolution
All fetchmail users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.6"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.