[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] fetchmail remote vulnerability



Topic
=====
fetchmail is vulnerable to remote attacks from maliciously configured
mailservers.

Problem Description
===================
Fetchmail versions up to 5.8.9 are susceptible to remote attacks from
malicious servers.  When fetchmail attempts to create an index of messages
in the remote mailbox being polled, it uses index numbers sent by the
server as an index into an internal array.  If a server sends fetchmail a
negative number, fetchmail will attempt to write data outside the bounds of
the array.
Note: this requires that the attacker has control over the mailserver.
If you do do not trust the people who run the mailserver that you are
using, then you are at risk.

Affected Versions
=================
fetchmail <= 5.8.9

Solution
========
Upgrade to fetchmail-5.8.10 or newer.

RedHat 7.x
----------
rpm -Fvh fetchmail-5.9.0-0.7.1.i386.rpm fetchmailconf-5.9.0-0.7.1.i386.rpm

RedHat 6.x
----------
rpm -Fvh fetchmail-5.9.0-0.6.2.i386.rpm fetchmailconf-5.9.0-0.6.2.i386.rpm

Debian 2.2 (potato)
-------------------
upgrade to fetchmail_5.3.3-3_i386.deb

Mandrake 8.0
------------
rpm -Fvh fetchmail-5.7.4-5.2mdk.i586.rpm fetchmail-daemon-5.7.4-5.2mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh fetchmail-5.5.2-5.2mdk.i586.rpm \
         fetchmail-daemon-5.5.2-5.2mdk.i586.rpm \
         fetchmailconf-5.5.2-5.2mdk.i586.rpm

Mandrake 7.1
------------
rpm -Fvh fetchmail-5.3.8-4.2mdk.i586.rpm fetchmailconf-5.3.8-4.2mdk.i586.rpm