| |||||||||||||||||||
Mageia alert MGASA-2012-0259 (fetchmail)
MGASA-2012-0259 Date: September 7th, 2012 Affected releases: 1, 2 Description: Updated fetchmail packages fix security vulnerabilities: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case (aka a BEAST attack) (CVE-2011-3389). A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash (CVE-2012-3482). Updated Packages: Mageia 1: fetchmail-6.3.22-1.mga1 fetchmailconf-6.3.22-1.mga1 fetchmail-daemon-6.3.22-1.mga1 Mageia 2: fetchmail-6.3.22-1.mga2 fetchmailconf-6.3.22-1.mga2 fetchmail-daemon-6.3.22-1.mga2 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482 http://www.fetchmail.info/fetchmail-SA-2012-01.txt http://www.fetchmail.info/fetchmail-SA-2012-02.txt http://developer.berlios.de/project/shownotes.php?group_i... http://www.mandriva.com/en/support/security/advisories/?d... https://bugs.mageia.org/show_bug.cgi?id=7280 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-... (Log in to post comments)
|
|||||||||||||||||||