Executive Summary
| Summary | |
|---|---|
| Title | fetchmailconf vulnerability |
| Informations | |||
|---|---|---|---|
| Name | USN-215-1 | First vendor Publication | 2005-11-07 |
| Vendor | Ubuntu | Last vendor Modification | 2005-11-07 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 2.1 | Attack Range | Local |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: fetchmailconf The problem can be corrected by upgrading the affected package to version 6.2.5-8ubuntu2.2 (for Ubuntu 4.10), 6.2.5-12ubuntu1.2 (for Ubuntu 5.04), or 6.2.5-13ubuntu3.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user manually tightened his umask setting), which could expose email passwords to local users. |
Original Source
| Url : http://www.ubuntu.com/usn/USN-215-1 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200511-06 (fetchmail) File : nvt/glsa_200511_06.nasl |
| 2008-09-04 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail3.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-1 (fetchmail) File : nvt/deb_900_1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-2 (fetchmail) File : nvt/deb_900_2.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 900-3 (fetchmail) File : nvt/deb_900_3.nasl |
| 0000-00-00 | Name : Slackware Advisory SSA:2006-045-01 fetchmail File : nvt/esoft_slk_ssa_2006_045_01.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 20267 | Fetchmail fetchmailconf Race Condition Password Disclosure Fetchmail contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text passwords when the fetchmailconf utility is used to create a configuration. The utility writes the configuration file before restricting access to other users, which may lead to a loss of confidentiality. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-900.nasl - Type : ACT_GATHER_INFO |
| 2006-08-01 | Name : The remote operating system is missing a vendor-supplied patch. File : macosx_SecUpd2006-004.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_baf74e0b497a11daa4f40060084a00e5.nasl - Type : ACT_GATHER_INFO |
| 2006-02-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2006-045-01.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-209.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-215-1.nasl - Type : ACT_GATHER_INFO |
| 2005-11-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200511-06.nasl - Type : ACT_GATHER_INFO |
| 2005-10-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-823.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:03:07 |
|
