Fetchmail NULL字符CA SSL整数验证安全绕过漏洞

2009-08-06T00:00:00
ID SSV:11997
Type seebug
Reporter Root
Modified 2009-08-06T00:00:00

Description

Bugraq ID: 35951

Fetchmail是一款功能强大的IMAP和POP客户程序。 Fetchmail不正确验证签名CA证书中包含NULL字符的域名,允许攻击者使用恶意SSL证书替换可信证书,绕过安全检测进行中间人攻击或伪造可信服务器,获得敏感信息。

Fetchmail Fetchmail 6.3.10 Fetchmail Fetchmail 6.3.9 Fetchmail Fetchmail 6.3.8 Fetchmail Fetchmail 6.3.7 Fetchmail Fetchmail 6.3.6 -rc3 Fetchmail Fetchmail 6.3.6 -rc2 Fetchmail Fetchmail 6.3.6 -rc1 Fetchmail Fetchmail 6.3.6 Fetchmail Fetchmail 6.3.5 Fetchmail Fetchmail 6.3.4 Fetchmail Fetchmail 6.3.3 Fetchmail Fetchmail 6.3.2 Fetchmail Fetchmail 6.3.1 Fetchmail Fetchmail 6.3 Fetchmail Fetchmail 6.2.5 厂商解决方案 目前没有详细解决方案提供: http://fetchmail.berlios.de/