Lucene search
Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.UBUNTU_USN-215-1.NASLHistoryJan 15, 2006 - 12:00 a.m.
Ubuntu 4.10 / 5.04 / 5.10 : fetchmail vulnerability (USN-215-1)
2006-01-1500:00:00
Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
www.tenable.com
12
Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user manually tightened his umask setting), which could expose email passwords to local users.
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-215-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(20633);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2005-3088");
script_xref(name:"USN", value:"215-1");
script_name(english:"Ubuntu 4.10 / 5.04 / 5.10 : fetchmail vulnerability (USN-215-1)");
script_summary(english:"Checks dpkg output for updated packages.");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Ubuntu host is missing one or more security-related
patches."
);
script_set_attribute(
attribute:"description",
value:
"Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. The output configuration file was initially
created with insecure permissions, and secure permissions were applied
after writing the configuration into the file. During this time, the
file was world readable on a standard system (unless the user manually
tightened his umask setting), which could expose email passwords to
local users.
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"solution",
value:
"Update the affected fetchmail, fetchmail-ssl and / or fetchmailconf
packages."
);
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fetchmail");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fetchmail-ssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:fetchmailconf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");
script_set_attribute(attribute:"patch_publication_date", value:"2005/11/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/21");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
script_family(english:"Ubuntu Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");
if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10|5\.04|5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04 / 5.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
flag = 0;
if (ubuntu_check(osver:"4.10", pkgname:"fetchmail", pkgver:"6.2.5-8ubuntu2.2")) flag++;
if (ubuntu_check(osver:"4.10", pkgname:"fetchmailconf", pkgver:"6.2.5-8ubuntu2.2")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"fetchmail", pkgver:"6.2.5-12ubuntu1.2")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"fetchmail-ssl", pkgver:"6.2.5-12ubuntu1.2")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"fetchmailconf", pkgver:"6.2.5-12ubuntu1.2")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"fetchmail", pkgver:"6.2.5-13ubuntu3.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"fetchmail-ssl", pkgver:"6.2.5-13ubuntu3.1")) flag++;
if (ubuntu_check(osver:"5.10", pkgname:"fetchmailconf", pkgver:"6.2.5-13ubuntu3.1")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "fetchmail / fetchmail-ssl / fetchmailconf");
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| canonical | ubuntu_linux | fetchmail | p-cpe:/a:canonical:ubuntu_linux:fetchmail |
| canonical | ubuntu_linux | fetchmail-ssl | p-cpe:/a:canonical:ubuntu_linux:fetchmail-ssl |
| canonical | ubuntu_linux | fetchmailconf | p-cpe:/a:canonical:ubuntu_linux:fetchmailconf |
| canonical | ubuntu_linux | 4.10 | cpe:/o:canonical:ubuntu_linux:4.10 |
| canonical | ubuntu_linux | 5.04 | cpe:/o:canonical:ubuntu_linux:5.04 |
| canonical | ubuntu_linux | 5.10 | cpe:/o:canonical:ubuntu_linux:5.10 |
Related
nessus
nessus
FreeBSD : fetchmail -- fetchmailconf local password exposure (baf74e0b-497a-11da-a4f4-0060084a00e5)
2006-05-13 00:00:00
GLSA-200511-06 : fetchmail: Password exposure in fetchmailconf
2005-11-07 00:00:00
Debian DSA-900-3 : fetchmail - programming error
2006-10-14 00:00:00
ubuntucve
ubuntucve
CVE-2005-3088
2005-10-27 00:00:00
openvas
openvas
Debian Security Advisory DSA 900-2 (fetchmail)
2008-01-17 00:00:00
Debian Security Advisory DSA 900-1 (fetchmail)
2008-01-17 00:00:00
Debian: Security Advisory (DSA-900-3)
2008-01-17 00:00:00
debian
debian
cvelist
cvelist
CVE-2005-3088
2005-10-27 04:00:00
freebsd
freebsd
fetchmail -- fetchmailconf local password exposure
2005-10-21 00:00:00
cve
cve
CVE-2005-3088
2005-10-27 10:02:00
ubuntu
ubuntu
fetchmailconf vulnerability
2005-11-08 00:00:00
redhat
redhat
(RHSA-2005:823) fetchmail security update
2005-10-26 00:00:00
securityvulns
securityvulns
fetchmail security announcement 2005-02 (CVE-2005-3088)
2005-10-28 00:00:00
debiancve
debiancve
CVE-2005-3088
2005-10-27 10:02:00
centos
centos
fetchmail, fetchmailconf security update
2005-10-28 03:32:26
gentoo
gentoo
fetchmail: Password exposure in fetchmailconf
2005-11-06 00:00:00
slackware
slackware
[slackware-security] fetchmail
2006-02-15 00:26:01
Related for UBUNTU_USN-215-1.NASL