Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2021 Tenable Network Security, Inc.DEBIAN_DSA-900.NASL
HistoryOct 14, 2006 - 12:00 a.m.

Debian DSA-900-3 : fetchmail - programming error

2006-10-1400:00:00
This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.
www.tenable.com
13
JSON

Due to restrictive dependency definition for fetchmail-ssl the updated fetchmailconf package couldn’t be installed on the old stable distribution (woody) together with fetchmail-ssl. Hence, this update loosens it, so that the update can be pulled in. For completeness we’re including the original advisory text :

Thomas Wolff discovered that the fetchmailconf program which is provided as part of fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, creates the new configuration in an insecure fashion that can lead to leaking passwords for mail accounts to local users.

This update also fixes a regression in the package for stable caused by the last security update.

#%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-900. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22766);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2005-3088");
  script_bugtraq_id(15179);
  script_xref(name:"DSA", value:"900");

  script_name(english:"Debian DSA-900-3 : fetchmail - programming error");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Due to restrictive dependency definition for fetchmail-ssl the updated
fetchmailconf package couldn't be installed on the old stable
distribution (woody) together with fetchmail-ssl.  Hence, this update
loosens it, so that the update can be pulled in.  For completeness
we're including the original advisory text :

  Thomas Wolff discovered that the fetchmailconf program which is
  provided as part of fetchmail, an SSL enabled POP3, APOP, IMAP mail
  gatherer/forwarder, creates the new configuration in an insecure
  fashion that can lead to leaking passwords for mail accounts to
  local users.

This update also fixes a regression in the package for stable caused
by the last security update."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=336096"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2005/dsa-900"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the fetchmail package.

For the old stable distribution (woody) this problem has been fixed in
version 5.9.11-6.4 of fetchmail and in version 5.9.11-6.3 of
fetchmail-ssl.

For the stable distribution (sarge) this problem has been fixed in
version 6.2.5-12sarge3."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:fetchmail");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");

  script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"fetchmail", reference:"5.9.11-6.4")) flag++;
if (deb_check(release:"3.0", prefix:"fetchmail-common", reference:"5.9.11-6.4")) flag++;
if (deb_check(release:"3.0", prefix:"fetchmail-ssl", reference:"5.9.11-6.3")) flag++;
if (deb_check(release:"3.0", prefix:"fetchmailconf", reference:"5.9.11-6.4")) flag++;
if (deb_check(release:"3.1", prefix:"fetchmail", reference:"6.2.5-12sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"fetchmail-ssl", reference:"6.2.5-12sarge3")) flag++;
if (deb_check(release:"3.1", prefix:"fetchmailconf", reference:"6.2.5-12sarge3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());
  else security_note(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxfetchmailp-cpe:/a:debian:debian_linux:fetchmail
debiandebian_linux3.0cpe:/o:debian:debian_linux:3.0
debiandebian_linux3.1cpe:/o:debian:debian_linux:3.1

Related

nessus 7
ubuntucve 1
openvas 12
debian 6
cve 1
cvelist 1
freebsd 1
ubuntu 1
redhat 1
securityvulns 1
centos 1
debiancve 1
gentoo 1
slackware 1
nessus
nessus
FreeBSD : fetchmail -- fetchmailconf local password exposure (baf74e0b-497a-11da-a4f4-0060084a00e5)
2006-05-13 00:00:00
Ubuntu 4.10 / 5.04 / 5.10 : fetchmail vulnerability (USN-215-1)
2006-01-15 00:00:00
GLSA-200511-06 : fetchmail: Password exposure in fetchmailconf
2005-11-07 00:00:00
ubuntucve
ubuntucve
CVE-2005-3088
2005-10-27 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-900-3)
2008-01-17 00:00:00
Debian Security Advisory DSA 900-2 (fetchmail)
2008-01-17 00:00:00
Debian Security Advisory DSA 900-1 (fetchmail)
2008-01-17 00:00:00
debian
debian
[SECURITY] [DSA 900-2] New fetchmail packages fix potential information leak
2005-11-21 09:14:03
[SECURITY] [DSA 900-3] New fetchmail-ssl packages fix potential information leak
2005-11-22 14:11:55
[SECURITY] [DSA 900-1] New fetchmail packages fix potential information leak
2005-11-18 07:55:37
cve
cve
CVE-2005-3088
2005-10-27 10:02:00
cvelist
cvelist
CVE-2005-3088
2005-10-27 04:00:00
freebsd
freebsd
fetchmail -- fetchmailconf local password exposure
2005-10-21 00:00:00
ubuntu
ubuntu
fetchmailconf vulnerability
2005-11-08 00:00:00
redhat
redhat
(RHSA-2005:823) fetchmail security update
2005-10-26 00:00:00
securityvulns
securityvulns
fetchmail security announcement 2005-02 (CVE-2005-3088)
2005-10-28 00:00:00
centos
centos
fetchmail, fetchmailconf security update
2005-10-28 03:32:26
debiancve
debiancve
CVE-2005-3088
2005-10-27 10:02:00
gentoo
gentoo
fetchmail: Password exposure in fetchmailconf
2005-11-06 00:00:00
slackware
slackware
[slackware-security] fetchmail
2006-02-15 00:26:01
JSON
Related for DEBIAN_DSA-900.NASL
nessus7ubuntucve1openvas12debian6cve1cvelist1freebsd1ubuntu1redhat1securityvulns1centos1debiancve1gentoo1slackware1