Mandriva Update for fetchmail MDKSA-2007:105 (fetchmail)

Mandriva Update for fetchmail MDKSA-2007:105 (fetchmail) - APOP vulnerability patc

Reporter	Title	Published	Views	Family All 231
ALT Linux	Security fix for the ALT Linux 6 package fetchmail version 6.3.8-alt1	7 Apr 200700:00	–	altlinux
Tenable Nessus	Mozilla Thunderbird < 1.5.0.12 Multiple Vulnerabilities (deprecated)	31 May 200700:00	–	nessus
Tenable Nessus	SeaMonkey < 1.0.9 / 1.1.2 Multiple Vulnerabilities	31 May 200700:00	–	nessus
Tenable Nessus	CentOS 5 : evolution-data-server (CESA-2007:0344)	1 Jun 200700:00	–	nessus
Tenable Nessus	CentOS 3 / 4 : evolution (CESA-2007:0353)	20 May 200700:00	–	nessus
Tenable Nessus	CentOS 3 / 4 / 5 : fetchmail (CESA-2007:0385)	7 Jun 200700:00	–	nessus
Tenable Nessus	CentOS 3 / 4 / 5 : mutt (CESA-2007:0386)	4 Jun 200700:00	–	nessus
Tenable Nessus	CentOS 4 / 5 : thunderbird (CESA-2007:0401)	23 Apr 200900:00	–	nessus
Tenable Nessus	CentOS 3 / 4 : seamonkey (CESA-2007:0402)	23 Apr 200900:00	–	nessus
Tenable Nessus	CentOS 5 : ruby (CESA-2009:1140)	6 Jan 201000:00	–	nessus

Source	Link
lists	www.lists.mandriva.com/security-announce/2007-05/msg00020.php

###############################################################################
# OpenVAS Vulnerability Test
#
# Mandriva Update for fetchmail MDKSA-2007:105 (fetchmail)
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

include("revisions-lib.inc");
tag_insight = "The APOP functionality in fetchmail's POP3 client implementation was
  validating the APOP challenge too lightly, accepting random garbage
  as a POP3 server's APOP challenge, rather than insisting it conform
  to RFC-822 specifications.

  As a result of this flaw, it made man-in-the-middle attacks easier than
  necessary to retrieve the first few characters of the APOP secret,
  allowing them to potentially brute force the remaining characters
  easier than should be possible.
  
  Updated packages have been patched to prevent these issues, however it
  should be noted that the APOP MD5-based authentication scheme should
  no longer be considered secure.";

tag_affected = "fetchmail on Mandriva Linux 2007.0,
  Mandriva Linux 2007.0/X86_64,
  Mandriva Linux 2007.1,
  Mandriva Linux 2007.1/X86_64";
tag_solution = "Please Install the Updated Packages.";



if(description)
{
  script_xref(name : "URL" , value : "http://lists.mandriva.com/security-announce/2007-05/msg00020.php");
  script_id(830174);
  script_version("$Revision: 6568 $");
  script_tag(name:"last_modification", value:"$Date: 2017-07-06 15:04:21 +0200 (Thu, 06 Jul 2017) $");
  script_tag(name:"creation_date", value:"2009-04-09 13:57:01 +0200 (Thu, 09 Apr 2009)");
  script_tag(name:"cvss_base", value:"2.6");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:N/A:N");
  script_xref(name: "MDKSA", value: "2007:105");
  script_cve_id("CVE-2007-1558");
  script_name( "Mandriva Update for fetchmail MDKSA-2007:105 (fetchmail)");

  script_summary("Check for the Version of fetchmail");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
  script_family("Mandrake Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/mandriva_mandrake_linux", "ssh/login/release");
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("pkg-lib-rpm.inc");

release = get_kb_item("ssh/login/release");


res = "";
if(release == NULL){
  exit(0);
}

if(release == "MNDK_2007.1")
{

  if ((res = isrpmvuln(pkg:"fetchmail", rpm:"fetchmail~6.3.6~1.1mdv2007.1", rls:"MNDK_2007.1")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if ((res = isrpmvuln(pkg:"fetchmail-daemon", rpm:"fetchmail-daemon~6.3.6~1.1mdv2007.1", rls:"MNDK_2007.1")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if ((res = isrpmvuln(pkg:"fetchmailconf", rpm:"fetchmailconf~6.3.6~1.1mdv2007.1", rls:"MNDK_2007.1")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99); # Not vulnerable.
  exit(0);
}


if(release == "MNDK_2007.0")
{

  if ((res = isrpmvuln(pkg:"fetchmail", rpm:"fetchmail~6.3.4~3.2mdv2007.0", rls:"MNDK_2007.0")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if ((res = isrpmvuln(pkg:"fetchmail-daemon", rpm:"fetchmail-daemon~6.3.4~3.2mdv2007.0", rls:"MNDK_2007.0")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if ((res = isrpmvuln(pkg:"fetchmailconf", rpm:"fetchmailconf~6.3.4~3.2mdv2007.0", rls:"MNDK_2007.0")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99); # Not vulnerable.
  exit(0);
}

06 Jul 2017 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.1342