The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of fetchmail: denial of service via a warning

Synthesis of the vulnerability 

An attacker can generate errors in order to force fetchmail to send a warning message, then to stop if this message cannot be delivered.
Vulnerable products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.
Severity of this weakness: 1/4.
Creation date: 30/08/2007.
Références of this bulletin: BID-25495, CVE-2007-4565, DSA-1377-1, DSA-1377-2, FEDORA-2007-1983, FEDORA-2007-689, fetchmail-SA-2007-02, fetchmail-SA-2008-01, MDKSA-2007:179, RHSA-2009:1427-01, SUSE-SR:2007:022, VIGILANCE-VUL-7134.

Description of the vulnerability 

The fetchmail program downloads emails from a POP or IMAP server and delivers them depending on its configuration.

When an error occurs (log failed or message not transmitted), fetchmail sends a warning message to the administrator. However, if this message is rejected by the SMTP service, fetchmail dereferences a NULL pointer and stops.

An attacker can therefore stop fetchmail if he can for example block the logging service and the SMTP service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this threat note is low.

The trust level is of type confirmed by the editor, with an origin of intranet server.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

fetchmail: version 6.3.9.
Version 6.3.9 is corrected:
  http://developer.berlios.de/project/showfiles.php?group_id=1824

fetchmail: patch for warning.
A patch is available.

Debian: new fetchmail packages.
New packages are available:
amd64 architecture (AMD x86_64 (AMD64))
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_amd64.deb
    Size/MD5 checksum: 650278 b00d2237d26d9e588e6c03ad17f79a74
i386 architecture (Intel ia32)
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_i386.deb
    Size/MD5 checksum: 641344 2eadc43a18712b3a1763094f7c837475
ia64 architecture (Intel ia64)
  http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch1_ia64.deb
    Size/MD5 checksum: 700752 df4c57c97970537cb2f6a885bc03e54d

Fedora 7: new fetchmail packages.
New packages are available:
9c13de5c295c8332646586f33d6f4f42a5be58b9 fetchmail-debuginfo-6.3.7-2.fc7.ppc64.rpm
4c72297f3d658e4c863471628e67f196b3b24c47 fetchmail-6.3.7-2.fc7.ppc64.rpm
22cbcfc665490a6a0cf59fcdd5cb119ff0f0fead fetchmail-debuginfo-6.3.7-2.fc7.i386.rpm
a2bad7e2afc8e394a9f24869a68f5b5aa4132f99 fetchmail-6.3.7-2.fc7.i386.rpm
1509a06d524e72ea7e73a4d2981cbc5c94e01c3f fetchmail-debuginfo-6.3.7-2.fc7.x86_64.rpm
d82a151341886040feb8ab64a9d7ff4413985924 fetchmail-6.3.7-2.fc7.x86_64.rpm
1cffd7b2aa63d940cbfe6f16fda6c3f08d3ca6d6 fetchmail-6.3.7-2.fc7.ppc.rpm
a6b8315da35610c94ec9f860b5fb6d124197ae90 fetchmail-debuginfo-6.3.7-2.fc7.ppc.rpm
67b78d7b97c9213792c20eacc309d0cefa664f72 fetchmail-6.3.7-2.fc7.src.rpm

Fedora Core 6: new fetchmail packages.
New packages are available:
    http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/
967b763df071f550db8c18b0f993b1c190cf8e06 SRPMS/fetchmail-6.3.6-3.fc6.src.rpm
967b763df071f550db8c18b0f993b1c190cf8e06 noarch/fetchmail-6.3.6-3.fc6.src.rpm
5717ad2e06184def6489ace8b8cee0275777298b ppc/fetchmail-6.3.6-3.fc6.ppc.rpm
bdcb11e27c6cca5e4a6d1a516631c91db79532e4 ppc/debug/fetchmail-debuginfo-6.3.6-3.fc6.ppc.rpm
3ca7a37b3253fb37c3f39abeb5058f0ece386019 x86_64/debug/fetchmail-debuginfo-6.3.6-3.fc6.x86_64.rpm
0f80e52cd7cd6e40d3c9ff5d362eae5e69c349bc x86_64/fetchmail-6.3.6-3.fc6.x86_64.rpm
d1c37746627c010eea5a1654e80ca1142174b48a i386/fetchmail-6.3.6-3.fc6.i386.rpm
8c525491a4a2ba3cdf6d45fcf06e7d8087390345 i386/debug/fetchmail-debuginfo-6.3.6-3.fc6.i386.rpm

Mandriva: new fetchmail packages.
New packages are available:
 
 Mandriva Linux 2007.0:
 ec4f5dea69e44968c18ed13aec63fbc4 2007.0/i586/fetchmail-6.3.4-3.3mdv2007.0.i586.rpm
 6714594d428e0e2e0ed3e677c7813fda 2007.0/i586/fetchmail-daemon-6.3.4-3.3mdv2007.0.i586.rpm
 4d2fbbf2de3d9204647f5a3cd7991e56 2007.0/i586/fetchmailconf-6.3.4-3.3mdv2007.0.i586.rpm
 47b05bee8f922fe043863399cad72818 2007.0/SRPMS/fetchmail-6.3.4-3.3mdv2007.0.src.rpm
 Mandriva Linux 2007.0/X86_64:
 1bd5250e46911f1c58e29d99c3ca7b70 2007.0/x86_64/fetchmail-6.3.4-3.3mdv2007.0.x86_64.rpm
 3f9aefbedfdc5dcd888c77314827eb41 2007.0/x86_64/fetchmail-daemon-6.3.4-3.3mdv2007.0.x86_64.rpm
 899116e39b78dc4184c4f4a1a8d839ff 2007.0/x86_64/fetchmailconf-6.3.4-3.3mdv2007.0.x86_64.rpm
 47b05bee8f922fe043863399cad72818 2007.0/SRPMS/fetchmail-6.3.4-3.3mdv2007.0.src.rpm
 Mandriva Linux 2007.1:
 01a5cdfd3329fc919b76bbbd955f1765 2007.1/i586/fetchmail-6.3.6-1.2mdv2007.1.i586.rpm
 cdc7413cca7f26b5f10a2ade1412f05e 2007.1/i586/fetchmail-daemon-6.3.6-1.2mdv2007.1.i586.rpm
 01de767500146bb7f00e5282267cc348 2007.1/i586/fetchmailconf-6.3.6-1.2mdv2007.1.i586.rpm
 36ae6d7fa6fd77a2925e5ac64e7a0394 2007.1/SRPMS/fetchmail-6.3.6-1.2mdv2007.1.src.rpm
 Mandriva Linux 2007.1/X86_64:
 3a5fd389cb5ab9d3e66772df25a5d081 2007.1/x86_64/fetchmail-6.3.6-1.2mdv2007.1.x86_64.rpm
 a9ea49f814c8305ad5b845d5afd11db2 2007.1/x86_64/fetchmail-daemon-6.3.6-1.2mdv2007.1.x86_64.rpm
 20cd90c65804e6272fdf8f95586799e4 2007.1/x86_64/fetchmailconf-6.3.6-1.2mdv2007.1.x86_64.rpm
 36ae6d7fa6fd77a2925e5ac64e7a0394 2007.1/SRPMS/fetchmail-6.3.6-1.2mdv2007.1.src.rpm
 Corporate 3.0:
 c467b462473a61160ef0f00a1fae355e corporate/3.0/i586/fetchmail-6.2.5-3.6.C30mdk.i586.rpm
 781126a4db0c738eac5cdd9ec8cc5981 corporate/3.0/i586/fetchmail-daemon-6.2.5-3.6.C30mdk.i586.rpm
 ae3874e52845214fb1bf7eecdc6abf84 corporate/3.0/i586/fetchmailconf-6.2.5-3.6.C30mdk.i586.rpm
 230cbc53c8bbba90c486708fff76abea corporate/3.0/SRPMS/fetchmail-6.2.5-3.6.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 eb699fd754ebd4946bfe7c026f6f2e42 corporate/3.0/x86_64/fetchmail-6.2.5-3.6.C30mdk.x86_64.rpm
 e7ecb2da9c3d73f3b0a5cebf13930f7e corporate/3.0/x86_64/fetchmail-daemon-6.2.5-3.6.C30mdk.x86_64.rpm
 b6bfcbc53aabb69d1c07d0fb0a8afed8 corporate/3.0/x86_64/fetchmailconf-6.2.5-3.6.C30mdk.x86_64.rpm
 230cbc53c8bbba90c486708fff76abea corporate/3.0/SRPMS/fetchmail-6.2.5-3.6.C30mdk.src.rpm
 Corporate 4.0:
 81cfe01e0da3ca09cf7c4ac39bdf48d1 corporate/4.0/i586/fetchmail-6.2.5-11.5.20060mlcs4.i586.rpm
 40b38bce6f851cf3165b0e8a8f5f3c50 corporate/4.0/i586/fetchmail-daemon-6.2.5-11.5.20060mlcs4.i586.rpm
 d7c94a1d6e803c00e5c05f0aa0efc477 corporate/4.0/i586/fetchmailconf-6.2.5-11.5.20060mlcs4.i586.rpm
 3efc2789b3ea0582b5c6ec70d65ddff5 corporate/4.0/SRPMS/fetchmail-6.2.5-11.5.20060mlcs4.src.rpm
 Corporate 4.0/X86_64:
 58c9d8daa4ba5a11b96b4373d9f2b45c corporate/4.0/x86_64/fetchmail-6.2.5-11.5.20060mlcs4.x86_64.rpm
 a9e54ac1f2a56a0ceca4663e1b970201 corporate/4.0/x86_64/fetchmail-daemon-6.2.5-11.5.20060mlcs4.x86_64.rpm
 de9f1acd42b3a445e9fe8c74b4b90094 corporate/4.0/x86_64/fetchmailconf-6.2.5-11.5.20060mlcs4.x86_64.rpm
 3efc2789b3ea0582b5c6ec70d65ddff5 corporate/4.0/SRPMS/fetchmail-6.2.5-11.5.20060mlcs4.src.rpm

RHEL: new fetchmail packages.
New packages are available:
Red Hat Enterprise Linux version 3: fetchmail-6.2.0-3.el3.5
Red Hat Enterprise Linux version 4: fetchmail-6.2.5-6.0.1.el4_8.1
Red Hat Enterprise Linux version 5: fetchmail-6.3.6-1.1.el5_3.1

SUSE: new fetchmail, flac, opera, util-linux et openssh packages.
New packages are available via FTP or YaST.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities alert. The technology watch team tracks security threats targeting the computer system.