Executive Summary
Summary | |
---|---|
Title | fetchmail security update |
Informations | |||
---|---|---|---|
Name | RHSA-2007:0018 | First vendor Publication | 2007-01-31 |
Vendor | RedHat | Last vendor Modification | 2007-01-31 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 7.8 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated fetchmail packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: Fetchmail is a remote mail retrieval and forwarding utility. A denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3. A flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the "sslproto" configuration directive is set to "tls1". Users of Fetchmail should update to these packages, which contain backported patches to correct these issues. Note: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the "sslproto" directive is set to "tls1". If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 176266 - CVE-2005-4348 Fetchmail DOS by malicious server in multidrop mode 221981 - CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2007-0018.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-399 | Resource Management Errors |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10566 | |||
Oval ID: | oval:org.mitre.oval:def:10566 | ||
Title: | fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. | ||
Description: | fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2006-5867 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9659 | |||
Oval ID: | oval:org.mitre.oval:def:9659 | ||
Title: | fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. | ||
Description: | fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-4348 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-10 | Name : SLES9: Security update for fetchmail File : nvt/sles9p5012567.nasl |
2009-04-09 | Name : Mandriva Update for fetchmail MDKSA-2007:016 (fetchmail) File : nvt/gb_mandriva_MDKSA_2007_016.nasl |
2009-03-23 | Name : Ubuntu Update for fetchmail vulnerability USN-405-1 File : nvt/gb_ubuntu_USN_405_1.nasl |
2009-02-27 | Name : Fedora Update for fetchmail FEDORA-2007-041 File : nvt/gb_fedora_2007_041_fetchmail_fc5.nasl |
2009-02-27 | Name : Fedora Update for fetchmail FEDORA-2007-042 File : nvt/gb_fedora_2007_042_fetchmail_fc6.nasl |
2009-01-28 | Name : SuSE Update for XFree86-server,xorg-x11-server,xloader SUSE-SA:2007:008 File : nvt/gb_suse_2007_008.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200701-13 (fetchmail) File : nvt/glsa_200701_13.nasl |
2008-09-04 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail4.nasl |
2008-09-04 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail7.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1259-1 (fetchmail) File : nvt/deb_1259_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 939-1 (fetchmail) File : nvt/deb_939_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2006-045-01 fetchmail File : nvt/esoft_slk_ssa_2006_045_01.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2007-024-01 fetchmail File : nvt/esoft_slk_ssa_2007_024_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
31580 | Fetchmail TLS Enforcement Cleartext Credential Disclosure |
21906 | Fetchmail Multidrop Mode Headerless Message Remote DoS Fetchmail contains a flaw that may allow a remote denial of service. The issue is triggered when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers, and will result in a loss of availability for the application. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2007-0018.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_fetchmail-2608.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-405-1.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_fetchmail-2602.nasl - Type : ACT_GATHER_INFO |
2007-04-21 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd2007-004.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2007-024-01.nasl - Type : ACT_GATHER_INFO |
2007-02-18 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-016.nasl - Type : ACT_GATHER_INFO |
2007-02-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1259.nasl - Type : ACT_GATHER_INFO |
2007-02-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0018.nasl - Type : ACT_GATHER_INFO |
2007-02-09 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2007-0018.nasl - Type : ACT_GATHER_INFO |
2007-01-26 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200701-13.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-042.nasl - Type : ACT_GATHER_INFO |
2007-01-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2007-041.nasl - Type : ACT_GATHER_INFO |
2007-01-08 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_5238ac459d8c11db858b0060084a00e5.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-939.nasl - Type : ACT_GATHER_INFO |
2006-08-01 | Name : The remote operating system is missing a vendor-supplied patch. File : macosx_SecUpd2006-004.nasl - Type : ACT_GATHER_INFO |
2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f7eb0b23709911daa15c0060084a00e5.nasl - Type : ACT_GATHER_INFO |
2006-02-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2006-045-01.nasl - Type : ACT_GATHER_INFO |
2006-01-21 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-233-1.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-236.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-09-14 01:03:46 |
|
2016-06-28 20:09:48 |
|
2016-04-26 18:04:36 |
|
2014-02-17 11:50:22 |
|
2013-07-04 13:22:02 |
|