Bug 7280

Summary: fetchmail new security issue CVE-2012-3482
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: alien, davidwhodgins, sysadmin-bugs, thierry.vignaud, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://freecode.com/projects/fetchmail/releases/347811
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Source RPM: fetchmail-6.3.21-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-09-01 04:10:51 CEST 
fetchmail 6.3.22 has been released, fixing an issue as described on freecode:

A security issue where a misinterpreted server response could allow DoS and data theft in NTLM authentication was fixed. This issue was reported as CVE-2012-3482. The false disabling of a countermeasure against plaintext attacks in block ciphers was fixed. Various other minor fixes were made.

See also the ChangeLog:
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
David Walser 2012-09-01 04:11:22 CEST

CC: (none) => alien
Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-09-01 04:11:31 CEST

CC: (none) => thierry.vignaud

Comment 1 David Walser 2012-09-01 17:59:33 CEST 
Mandriva has issued an advisory for this today (September 1):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
Comment 2 AL13N 2012-09-03 21:10:51 CEST 
submitted 6.3.22 for 1/2/cauldron ... i couldn't easily get separate patches.

Advisory can be identical to MDV's
Comment 3 David Walser 2012-09-04 00:42:06 CEST 
There's a subrel in the Mageia 1 package, which makes it newer than the Mageia 2 and Cauldron packages.  Please ask a sysadmin to remove it from Mageia 1 updates_testing and resubmit it without the subrel.  Thanks.
Comment 4 David Walser 2012-09-04 00:43:40 CEST 
For future reference, these are the packages from this SRPM:

fetchmail-6.3.22-1.mga2
fetchmailconf-6.3.22-1.mga2
fetchmail-daemon-6.3.22-1.mga2

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 5 AL13N 2012-09-04 14:33:57 CEST 
ok, that mga1 package is now also re-submitted
Comment 6 David Walser 2012-09-04 14:41:22 CEST 
Advisory:
========================

Updated fetchmail packages fix security vulnerabilities:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
========================

Updated packages in core/updates_testing:
========================
fetchmail-6.3.22-1.mga1
fetchmailconf-6.3.22-1.mga1
fetchmail-daemon-6.3.22-1.mga1
fetchmail-6.3.22-1.mga2
fetchmailconf-6.3.22-1.mga2
fetchmail-daemon-6.3.22-1.mga2

from SRPMS:
fetchmail-6.3.22-1.mga1.src.rpm
fetchmail-6.3.22-1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 7 Dave Hodgins 2012-09-06 21:15:04 CEST 
I'll be testing this on both releases arches shortly.

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2012-09-07 03:09:01 CEST 
Testing complete on Mageia 1 and 2, i586 and x86-64.

Could someone from the sysadmin team push the srpm
fetchmail-6.3.22-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
fetchmail-6.3.22-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated fetchmail packages fix security vulnerabilities:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149

https://bugs.mageia.org/show_bug.cgi?id=7280

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 9 Thomas Backlund 2012-09-07 20:30:43 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0259

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED