Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DSA-900-2:849DF
HistoryNov 21, 2005 - 9:14 a.m.

[SECURITY] [DSA 900-2] New fetchmail packages fix potential information leak

2005-11-2109:14:03
lists.debian.org
8

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

JSON

Debian Security Advisory DSA 900-2 [email protected]
http://www.debian.org/security/ Martin Schulze
November 21st, 2005 http://www.debian.org/security/faq

Package : fetchmail
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE ID : CVE-2005-3088
Debian Bug : 336096

Due to restrictive dependency definition the updated fetchmailconf
package couldn't be installed on the old stable distribution (woody)
together with fetchmail-ssl. Hence, this update loosens it, so that
the update can be pulled in. For completeness we're including the
original advisory text:

Thomas Wolff discovered that the fetchmailconfig program which is
provided as part of fetchmail, an SSL enabled POP3, APOP, IMAP mail
gatherer/forwarder, creates the new configuration in an insecure
fashion that can lead to leaking passwords for mail accounts to
local users.

This update also fixes a regression in the package for stable caused
by the last security update.

For the old stable distribution (woody) this problem has been fixed in
version 5.9.11-6.4.

For the stable distribution (sarge) this problem has been fixed in
version 6.2.5-12sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 6.2.5.4-1.

We recommend that you upgrade your fetchmail package.

Upgrade Instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4.dsc
  Size/MD5 checksum:      712 e1a82c36c542d941d9ab5fddd72a084b
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4.diff.gz
  Size/MD5 checksum:   300946 003692d316f2ff494fe6486c33211490
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
  Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

Architecture independent components:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.4_all.deb
  Size/MD5 checksum:   165494 c81bd2391062a87978341feebd8c37b9
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.4_all.deb
  Size/MD5 checksum:    92860 e6839df03c88066d2512ec2aa15f4409

Alpha architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_alpha.deb
  Size/MD5 checksum:   307132 e726923c5c1fe0466d94fc850011abb8

ARM architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_arm.deb
  Size/MD5 checksum:   290738 d77ba92322089b6616153ec4c7174918

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_i386.deb
  Size/MD5 checksum:   286456 44493842e69d13461215ccf3f005ada2

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_ia64.deb
  Size/MD5 checksum:   329954 ded4883a2870ade58dcc1ca525a76fc9

HP Precision architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_hppa.deb
  Size/MD5 checksum:   299108 a149496bb4e367043440b54faa8f3420

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_m68k.deb
  Size/MD5 checksum:   281270 79d99ef204a11fc4855cd80c987deba8

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_mips.deb
  Size/MD5 checksum:   296536 5dbce03b1d4c4dafefd2a76865d038d0

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_mipsel.deb
  Size/MD5 checksum:   296000 db69187b67827063291609685c992245

PowerPC architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_powerpc.deb
  Size/MD5 checksum:   291488 8cecaef33456e36256a7498c8ce07556

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_s390.deb
  Size/MD5 checksum:   288956 3d5dd68aca0781fdaa64bc600960af46

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.4_sparc.deb
  Size/MD5 checksum:   293594 24741d48693824b9654fe54f28690fd4

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;

Related

nessus 8
cve 1
openvas 12
ubuntucve 1
debian 5
cvelist 1
freebsd 1
ubuntu 1
redhat 1
securityvulns 1
gentoo 1
centos 1
debiancve 1
slackware 1
nessus
nessus
GLSA-200511-06 : fetchmail: Password exposure in fetchmailconf
2005-11-07 00:00:00
Debian DSA-900-3 : fetchmail - programming error
2006-10-14 00:00:00
FreeBSD : fetchmail -- fetchmailconf local password exposure (baf74e0b-497a-11da-a4f4-0060084a00e5)
2006-05-13 00:00:00
cve
cve
CVE-2005-3088
2005-10-27 10:02:00
openvas
openvas
Debian: Security Advisory (DSA-900-3)
2008-01-17 00:00:00
Debian Security Advisory DSA 900-1 (fetchmail)
2008-01-17 00:00:00
Debian Security Advisory DSA 900-2 (fetchmail)
2008-01-17 00:00:00
ubuntucve
ubuntucve
CVE-2005-3088
2005-10-27 00:00:00
debian
debian
[SECURITY] [DSA 900-1] New fetchmail packages fix potential information leak
2005-11-18 00:00:00
[SECURITY] [DSA 900-3] New fetchmail-ssl packages fix potential information leak
2005-11-22 00:00:00
[SECURITY] [DSA 900-3] New fetchmail-ssl packages fix potential information leak
2005-11-22 14:11:55
cvelist
cvelist
CVE-2005-3088
2005-10-27 04:00:00
freebsd
freebsd
fetchmail -- fetchmailconf local password exposure
2005-10-21 00:00:00
ubuntu
ubuntu
fetchmailconf vulnerability
2005-11-08 00:00:00
redhat
redhat
(RHSA-2005:823) fetchmail security update
2005-10-26 00:00:00
securityvulns
securityvulns
fetchmail security announcement 2005-02 &#40;CVE-2005-3088&#41;
2005-10-28 00:00:00
gentoo
gentoo
fetchmail: Password exposure in fetchmailconf
2005-11-06 00:00:00
centos
centos
fetchmail, fetchmailconf security update
2005-10-28 03:32:26
debiancve
debiancve
CVE-2005-3088
2005-10-27 10:02:00
slackware
slackware
[slackware-security] fetchmail
2006-02-15 00:26:01

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

JSON
Related for DEBIAN:DSA-900-2:849DF
nessus8cve1openvas12ubuntucve1debian5cvelist1freebsd1ubuntu1redhat1securityvulns1gentoo1centos1debiancve1slackware1