CVE-2009-2666

Related Files

Gentoo Linux Security Advisory 201006-12

Posted Jun 3, 2010

Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201006-12 - Multiple vulnerabilities have been reported in Fetchmail, allowing remote attackers to execute arbitrary code or to conduct Man-in-the-Middle attacks. Versions less than 6.3.14 are affected.

tags | advisory, remote, arbitrary, vulnerability

systems | linux, gentoo

advisories | CVE-2009-2666, CVE-2010-0562

SHA-256 | 673e4aabeca54c4f6f8eb89a2119f7e035d028ee5801f0d90caec3696f7ba79a

Download | Favorite | View

Mandriva Linux Security Advisory 2009-201

Posted Dec 4, 2009

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-201 - socket.c in fetchmail before 6.3.11 does not properly handle a '\\0' (NUL) character in a domain name in the subject's Common Name (CN) and subjectAlt(ernative)Name fields of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This update provides a solution to this vulnerability. Packages for 2008.0 are being provided due to extended support for Corporate products.

tags | advisory, arbitrary, spoof

systems | linux, mandriva

advisories | CVE-2009-2666

SHA-256 | 4aba094aed5936c7ea5deea95cdcd8b2b4f9927a8b2c97e80c7ef02c3672c820

Download | Favorite | View

Ubuntu Security Notice 816-1

Posted Aug 13, 2009

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice USN-816-1 - Moxie Marlinspike discovered that fetchmail did not properly handle certificates with NULL characters in the certificate name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

tags | advisory, remote

systems | linux, ubuntu

advisories | CVE-2009-2666

SHA-256 | f84db5283372ab8ae42ba4dff0f41857f47a11217c3e188b9ac25bc8e7124c00

Download | Favorite | View

Mandriva Linux Security Advisory 2009-201

Posted Aug 13, 2009

Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-201 - socket.c in fetchmail before 6.3.11 does not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This update provides a solution to this vulnerability.

tags | advisory, arbitrary, spoof

systems | linux, mandriva

advisories | CVE-2009-2666

SHA-256 | 62d87310d1b7c54e45458614ca4c8fb88bc2d0ec7cd3071189a4242f8e2c8506

Download | Favorite | View

Debian Linux Security Advisory 1852-1

Posted Aug 10, 2009

Authored by Debian | Site debian.org

Debian Security Advisory 1852-1 - It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields.

tags | advisory, remote

systems | linux, debian

advisories | CVE-2009-2666

SHA-256 | b2c279e9428381b4b79febdf015211782d03ec298a3ff8b389cda567f086028b

Download | Favorite | View

Fetchmail Improper SSL Certificate Verification

Posted Aug 6, 2009

Authored by Matthias Andree

Fetchmail versions 6.3.10 and below suffer from an improper SSL certificate subject verification vulnerability.

tags | advisory

advisories | CVE-2009-2666

SHA-256 | ce7096d8ac83ac8f9f069b1910a6aa91898577d3165d040410eeb7f62efaf3fc

Download | Favorite | View