Lucene search

K
freebsdFreeBSD18CE9A90-F269-11E1-BE53-080027EF73EC
HistoryJan 19, 2012 - 12:00 a.m.

fetchmail -- chosen plaintext attack against SSL CBC initialization vectors

2012-01-1900:00:00
vuxml.freebsd.org
13

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.3%

Matthias Andree reports:

Fetchmail version 6.3.9 enabled “all SSL workarounds” (SSL_OP_ALL)
which contains a switch to disable a countermeasure against certain
attacks against block ciphers that permit guessing the
initialization vectors, providing that an attacker can make the
application (fetchmail) encrypt some data for him – which is not
easily the case.
Stream ciphers (such as RC4) are unaffected.
Credits to Apple Product Security for reporting this.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchfetchmail= 6.3.9UNKNOWN
FreeBSDanynoarchfetchmail< 6.3.22UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.3%