[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] fetchmail remote vulnerability
- To: linux-security
- Subject: [linux-security] fetchmail remote vulnerability
- From: Martin Siegert <siegert@sfu.ca>
- Date: Mon, 10 Sep 2001 15:51:17 -0700
- User-Agent: Mutt/1.2.5i
Topic
=====
fetchmail is vulnerable to remote attacks from maliciously configured
mailservers.
Problem Description
===================
Fetchmail versions up to 5.8.9 are susceptible to remote attacks from
malicious servers. When fetchmail attempts to create an index of messages
in the remote mailbox being polled, it uses index numbers sent by the
server as an index into an internal array. If a server sends fetchmail a
negative number, fetchmail will attempt to write data outside the bounds of
the array.
Note: this requires that the attacker has control over the mailserver.
If you do do not trust the people who run the mailserver that you are
using, then you are at risk.
Affected Versions
=================
fetchmail <= 5.8.9
Solution
========
Upgrade to fetchmail-5.8.10 or newer.
RedHat 7.x
----------
rpm -Fvh fetchmail-5.9.0-0.7.1.i386.rpm fetchmailconf-5.9.0-0.7.1.i386.rpm
RedHat 6.x
----------
rpm -Fvh fetchmail-5.9.0-0.6.2.i386.rpm fetchmailconf-5.9.0-0.6.2.i386.rpm
Debian 2.2 (potato)
-------------------
upgrade to fetchmail_5.3.3-3_i386.deb
Mandrake 8.0
------------
rpm -Fvh fetchmail-5.7.4-5.2mdk.i586.rpm fetchmail-daemon-5.7.4-5.2mdk.i586.rpm
Mandrake 7.2
------------
rpm -Fvh fetchmail-5.5.2-5.2mdk.i586.rpm \
fetchmail-daemon-5.5.2-5.2mdk.i586.rpm \
fetchmailconf-5.5.2-5.2mdk.i586.rpm
Mandrake 7.1
------------
rpm -Fvh fetchmail-5.3.8-4.2mdk.i586.rpm fetchmailconf-5.3.8-4.2mdk.i586.rpm