[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Caldera] Denial-of-Service Schwachstelle in Fetchmail - CSSA-2004-004.0
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung der SCO Group ueber
Sicherheitsprobleme bei Fetchmail. Wir geben diese Informationen
unveraendert an Sie weiter.
CAN-2003-0792
Ein Angreifer kann fetchmail zum Absturz bringen, indem er auf dem
SMTP Server eine entsprechend formulierte E-mail bereitstellt, die
von fetchmail abgeholt wird.
Betroffen ist SCO OpenLinux 3.1.1 mit Fetchmail vor Version 6.2.5-1.
Der Hersteller stellt Updates zur Behebung der Schwachstelle bereit.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenLinux: Fetchmail 6.2.4 and earlier remote dennial of service
Advisory number: CSSA-2004-004.0
Issue date: 2004 February 19
Cross reference: sr886097 fz528427 erg712468 CAN-2003-0792
______________________________________________________________________________
1. Problem Description
Fetchmail 6.2.4 and earlier does not properly allocate memory for
long lines, which allows remote attackers to cause a denial of
service (crash) via a certain email.
Fetchmail is a full-featured, robust, well-documented remote-mail
retrieval and forwarding utility intended to be used over on-
demand TCP/IP links (such as SLIP or PPP connections). It supports
every remote-mail protocol now in use on the Internet: POP2, POP3,
RPOP, APOP, KPOP, all flavors of IMAP, ETRN, and ODMR. It can even
support IPv6 and IPSEC.
Fetchmail retrieves mail from remote mail servers and forwards it
via SMTP, so it can then be read by normal mail user agents such as
mutt, elm(1) or BSD Mail. It allows all your system MTA's filtering,
forwarding, and aliasing facilities to work just as they would on
normal mail.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0792 to this issue.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to fetchmail-6.2.5-1.i386.rpm
prior to fetchmailconf-6.2.5-1.i386.rpm
OpenLinux 3.1.1 Workstation prior to fetchmail-6.2.5-1.i386.rpm
prior to fetchmailconf-6.2.5-1.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-004.0/RPMS
4.2 Packages
60ded90624478cf42bbafdb3530b1431 fetchmail-6.2.5-1.i386.rpm
b5812d5463a264a37dbeac6a3f3084f0 fetchmailconf-6.2.5-1.i386.rpm
4.3 Installation
rpm -Fvh fetchmail-6.2.5-1.i386.rpm
rpm -Fvh fetchmailconf-6.2.5-1.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-004.0/SRPMS
4.5 Source Packages
f7fea66f02c98436847aab205922a180 fetchmail-6.2.5-1.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-004.0/RPMS
5.2 Packages
195568e0570b8e0682d93b3d27a4d3de fetchmail-6.2.5-1.i386.rpm
7d81aed49392ce9df04ae4b421fd80e7 fetchmailconf-6.2.5-1.i386.rpm
5.3 Installation
rpm -Fvh fetchmail-6.2.5-1.i386.rpm
rpm -Fvh fetchmailconf-6.2.5-1.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-004.0/SRPMS
5.5 Source Packages
3035d06b88de3840707e2e180304ee53 fetchmail-6.2.5-1.src.rpm
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0792
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr886097 fz528427
erg712468.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgements
SCO would like to thank Dave Jones and Mark Cox at Red Hat.
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFANTycbluZssSXDTERAvRaAJ4m+WaovTwGUSZQgNYZBayCPJ/h0gCglk0s
lm/Co3aOVRP2TnFXpasf5Oc=
=odDf
- -----END PGP SIGNATURE-----
- --
Dipl. Inform. Klaus Moeller (CSIRT) DFN-CERT Services GmbH
https://www.dfn-cert.de/ +49-40-808077-555
PGP RSA/2048, 0BB7C8F9, 6D CC 59 0F 86 0C 58 4D 35 D7 0C 55 EF 4F 42 23
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQEVAwUBQDX7k4rEggYLt8j5AQGfIggAgJFKff1ObngKYDz6aNXD8rsvEhRct11T
u4dYYgoUs/HFq9q1D7rpnhLuK6xdJEmKxOqr+c++gir2xNMplceJWx/0dCunqru9
DFozgBF43FeGJ3xBN6XQOXp23//45laKhBnkH+1DcmO8FcFtbX8F0ALYHDthpRra
GrQH+XtLGoEWFCWDw98fz/rsVQapv2/oZ6DU2qLg+G+byYXvPdqwDyqlSlU9OU41
nwKKMRp4OAYb+eelTbSYdv4ysBZEc1UvmKz/fIX2YUT96rss0JKoymRACmlkuTve
JWOsIO/mpvRckiNEiLrg+SWlHUEqU+wX5Pq6HQijG5yQ+0MxTkVoPw==
=A+d/
-----END PGP SIGNATURE-----