Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [USN-153-1] fetchmail vulnerability

from [Martin Pitt] Network Security [Permanent Link]
Subject: [Full-disclosure] [USN-153-1] fetchmail vulnerability
Date: Tue, 26 Jul 2005 12:38:32 +0200 
===========================================================
Ubuntu Security Notice USN-153-1              July 26, 2005
fetchmail vulnerability
CAN-2005-2335
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

fetchmail

The problem can be corrected by upgrading the affected package to
version 6.2.5-8ubuntu2.1 (for Ubuntu 4.10), or 6.2.5-12ubuntu1.1 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Ross Boylan discovered a remote buffer overflow in fetchmail. By
sending invalid responses with very long UIDs, a faulty or malicious
POP server could crash fetchmail or execute arbitrary code with the
privileges of the user invoking fetchmail.

fetchmail is commonly run as root to fetch mail for multiple user
accounts; in this case, this vulnerability could be exploited to
compromise the whole system.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.1.diff.gz
      Size/MD5:   136209 d982f973b3675ce97816a2f551e63996
    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.1.dsc
      Size/MD5:      639 5f2255e5e60e93b117686154bd748329
    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-8ubuntu2.1_all.deb
      Size/MD5:   101418 a4ffcc8ebdb17707de6369db25ea7e52

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.1_amd64.deb
      Size/MD5:   555560 0b695cf0702e535bb8146bec44f5f13c

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.1_i386.deb
      Size/MD5:   546196 1455931de7ac299e5b8b1ff3c0763493

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.1_powerpc.deb
      Size/MD5:   556014 b48d28fec277b18a0e52738901461c18

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.1.diff.gz
      Size/MD5:   150286 b30b78bd0affc998fe6d9a192902e766
    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.1.dsc
      Size/MD5:      656 3a3527e59e6402ac8800491a675f4f70
    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-12ubuntu1.1_all.deb
      Size/MD5:    42260 dfc95a76d0f6716d7f6bbefcaf0bd071
    
http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-12ubuntu1.1_all.deb
      Size/MD5:   101284 451d0af692ad0855377e151c6e93b5bc

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.1_amd64.deb
      Size/MD5:   296788 fe851a27dca46bd2d9972c88aaa8af74

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.1_i386.deb
      Size/MD5:   286052 eeb6ecb0dbc43fadd84297cc85f9e1d7

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.1_powerpc.deb
      Size/MD5:   296080 bb012afc1d28ec40c801410b9d0612c4

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [USN-153-1] fetchmail vulnerability, Martin Pitt <=
Previous by Date:  [Full-disclosure] SPIDynamics WebInspect Cross-Application Scripting (XAS), 3APA3A
Next by Date:  [Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows, nick
Previous by Thread:  [Full-disclosure] SPIDynamics WebInspect Cross-Application Scripting (XAS), 3APA3A
Next by Thread:  [Full-disclosure] [USN-154-1] vim vulnerability, Martin Pitt
Indexes:  [Date] [Thread] [Top] [All Lists]