Executive Summary
| Summary | |
|---|---|
| Title | fetchmail security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2005:823 | First vendor Publication | 2005-10-26 |
| Vendor | RedHat | Last vendor Modification | 2005-10-26 |
| Severity (Vendor) | Low | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 2.1 | Attack Range | Local |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: Updated fetchmail packages that fix insecure configuration file creation is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: Fetchmail is a remote mail retrieval and forwarding utility. A bug was found in the way the fetchmailconf utility program writes configuration files. The default behavior of fetchmailconf is to write a configuration file which may be world readable for a short period of time. This configuration file could provide passwords to a local malicious attacker within the short window before fetchmailconf sets secure permissions. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3088 to this issue. Users of fetchmail are advised to upgrade to these updated packages, which contain a backported patch which resolves this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 171474 - CVE-2005-3088 fetchmailconf insecure configuration file |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2005-823.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200511-06 (fetchmail) File : nvt/glsa_200511_06.nasl |
| 2008-09-04 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail3.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-1 (fetchmail) File : nvt/deb_900_1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-2 (fetchmail) File : nvt/deb_900_2.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-3 (fetchmail) File : nvt/deb_900_3.nasl |
| 0000-00-00 | Name : Slackware Advisory SSA:2006-045-01 fetchmail File : nvt/esoft_slk_ssa_2006_045_01.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 20267 | Fetchmail fetchmailconf Race Condition Password Disclosure Fetchmail contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text passwords when the fetchmailconf utility is used to create a configuration. The utility writes the configuration file before restricting access to other users, which may lead to a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-900.nasl - Type : ACT_GATHER_INFO |
| 2006-08-01 | Name : The remote operating system is missing a vendor-supplied patch. File : macosx_SecUpd2006-004.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_baf74e0b497a11daa4f40060084a00e5.nasl - Type : ACT_GATHER_INFO |
| 2006-02-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2006-045-01.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-209.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-215-1.nasl - Type : ACT_GATHER_INFO |
| 2005-11-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200511-06.nasl - Type : ACT_GATHER_INFO |
| 2005-10-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-823.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:49:45 |
|
