-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1852-1 security@debian.org http://www.debian.org/security/ Nico Golde August 7th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : fetchmail Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2009-2666 It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services) For the oldstable distribution (etch), this problem has been fixed in version 6.3.6-1etch2. For the stable distribution (lenny), this problem has been fixed in version 6.3.9~rc2-4+lenny1. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 6.3.9~rc2-6. We recommend that you upgrade your fetchmail packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.dsc Size/MD5 checksum: 882 5d96480a102ad30f66dbac6bcbae1037 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6.orig.tar.gz Size/MD5 checksum: 1680200 04175459cdf32fdb10d9e8fc46b633c3 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2.diff.gz Size/MD5 checksum: 45665 a51b0544434e51577863032336812bd6 Architecture independent packages: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.6-1etch2_all.deb Size/MD5 checksum: 61444 f65648771182f763268cbc7fd643da8b alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_alpha.deb Size/MD5 checksum: 666592 289c6c238d70e71771d5c0c87b764a87 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_amd64.deb Size/MD5 checksum: 649604 8d2e4ff30c29e9e67831ec9aab5a567e arm architecture (ARM) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_arm.deb Size/MD5 checksum: 645170 928f041ad7b0311ac0188e4e6ca6256f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_hppa.deb Size/MD5 checksum: 658340 511591dee94637fe440c6a737a3fd880 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_i386.deb Size/MD5 checksum: 642772 5ddc7364f8f34b1b12d1e5b17ff9ac6d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_ia64.deb Size/MD5 checksum: 700924 6d7f77eca56a191e0fab3bdf8fa98c37 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_powerpc.deb Size/MD5 checksum: 647274 771f97aa2d2029135185afcbf05b605c s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_s390.deb Size/MD5 checksum: 647026 f2ac2a5ce6f648b7d88948530456d02d sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.6-1etch2_sparc.deb Size/MD5 checksum: 640688 974ffde76095f1fa184cf1eced7b7dae Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.dsc Size/MD5 checksum: 1375 39a3debdf4c4cf3e313c75e5688209ca http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1.diff.gz Size/MD5 checksum: 46891 a2715b1768546ea2d7a3c8a518aa8188 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2.orig.tar.gz Size/MD5 checksum: 1711087 200ece6f73ac28ccda7aea42ea4e492d Architecture independent packages: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.3.9~rc2-4+lenny1_all.deb Size/MD5 checksum: 63124 1cd8fa8a8367a1bc8f1d30ff2d8ff3ee alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_alpha.deb Size/MD5 checksum: 680224 1a2ddefc8a90da5e2d31291f1101442c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_amd64.deb Size/MD5 checksum: 668616 65015cc17b556da2e44ef1496171e9fd arm architecture (ARM) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_arm.deb Size/MD5 checksum: 663090 4b4fccf839ee8b6f1f94a997ac911179 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_armel.deb Size/MD5 checksum: 662018 837c3029b01e180f2447ff0f19555dc5 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_hppa.deb Size/MD5 checksum: 673570 7dbce7d81c38e4fa9562626610b09f65 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_i386.deb Size/MD5 checksum: 657844 a9e357f91278e9108018725c96eeb8ae ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_ia64.deb Size/MD5 checksum: 719116 4b2f362a01870c0770f010bcc5012aad mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mips.deb Size/MD5 checksum: 664870 2abf34330924241ce890b703709c5895 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_mipsel.deb Size/MD5 checksum: 663906 88af289787ec5fd46c83f28a0de65849 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_powerpc.deb Size/MD5 checksum: 669542 7c9a426df9ef71c0420ccb030e5d422b s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_s390.deb Size/MD5 checksum: 666976 6aa0fd370bd06f3c39d9230c82cde208 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.3.9~rc2-4+lenny1_sparc.deb Size/MD5 checksum: 658912 699f23466f0003f7f38f02111d5a3363 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkp8SOQACgkQHYflSXNkfP+eXQCcDixwhyFyyKjaS34HJEe9g71L XKoAn3eTMd0qbvNi/4AVoGIBIjTDALlh =O0zh -----END PGP SIGNATURE-----