drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in Fetchmail
Name: |
Zwei Probleme in Fetchmail |
|
ID: |
MDVSA-2013:037 |
|
Distribution: |
Mandriva |
|
Plattformen: |
Mandriva Business Server 1.0 |
|
Datum: |
Fr, 5. April 2013, 15:36 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt |
|
Applikationen: |
Fetchmail |
|
Originalnachricht |
This is a multi-part message in MIME format...
------------=_1365168434-2161-234
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:037 http://www.mandriva.com/en/support/security/ _______________________________________________________________________
Package : fetchmail Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in fetchmail: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case (aka a BEAST attack) (CVE-2011-3389). A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash (CVE-2012-3482). This advisory provides the latest version of fetchmail (6.3.22) which is not vulnerable to these issues. _______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482 http://www.fetchmail.info/fetchmail-SA-2012-01.txt http://www.fetchmail.info/fetchmail-SA-2012-02.txt _______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64: c30dacec397667ad6058f3800f3aca2c mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm bed6bf2974ebcb9ac9c8f5e2c2ee310b mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm 1750ed3c0d237c7ac4fcf6b98a7b1b21 mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm dbd678a792ee058801ec35c7f99096a4 mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm _______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com _______________________________________________________________________
Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRXqbdmqjQ0CJFipgRAogSAJ9P6bArt4G6h+nJ1sHhiZU+ek34IACeNNI7 lBFyD6n3zwBDXPHiHKCUh0Q= =4YuR -----END PGP SIGNATURE-----
------------=_1365168434-2161-234 Content-Type: text/plain; charset="UTF-8"; name="message-footer.txt" Content-Disposition: inline; filename="message-footer.txt" Content-Transfer-Encoding: 8bit
To unsubscribe, send a email to sympa@mandrivalinux.org with this subject : unsubscribe security-announce _______________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://store.mandriva.com _______________________________________________________
------------=_1365168434-2161-234--
|
|
|
|