MGASA-2012-0259
| Date: | September 7th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated fetchmail packages fix security vulnerabilities:
Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).
A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).
Updated Packages:
Mageia 1:
fetchmail-6.3.22-1.mga1
fetchmailconf-6.3.22-1.mga1
fetchmail-daemon-6.3.22-1.mga1
Mageia 2:
fetchmail-6.3.22-1.mga2
fetchmailconf-6.3.22-1.mga2
fetchmail-daemon-6.3.22-1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
https://bugs.mageia.org/show_bug.cgi?id=7280
