Bug 7280 - fetchmail new security issue CVE-2012-3482
: fetchmail new security issue CVE-2012-3482
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://freecode.com/projects/fetchmai...
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-01 04:10 CEST by David Walser
Modified: 2012-09-07 20:30 CEST (History)
5 users (show)

See Also:
Source RPM: fetchmail-6.3.21-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-09-01 04:10:51 CEST
fetchmail 6.3.22 has been released, fixing an issue as described on freecode:

A security issue where a misinterpreted server response could allow DoS and data theft in NTLM authentication was fixed. This issue was reported as CVE-2012-3482. The false disabling of a countermeasure against plaintext attacks in block ciphers was fixed. Various other minor fixes were made.

See also the ChangeLog:
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
Comment 1 David Walser 2012-09-01 17:59:33 CEST
Mandriva has issued an advisory for this today (September 1):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
Comment 2 AL13N 2012-09-03 21:10:51 CEST
submitted 6.3.22 for 1/2/cauldron ... i couldn't easily get separate patches.

Advisory can be identical to MDV's
Comment 3 David Walser 2012-09-04 00:42:06 CEST
There's a subrel in the Mageia 1 package, which makes it newer than the Mageia 2 and Cauldron packages.  Please ask a sysadmin to remove it from Mageia 1 updates_testing and resubmit it without the subrel.  Thanks.
Comment 4 David Walser 2012-09-04 00:43:40 CEST
For future reference, these are the packages from this SRPM:

fetchmail-6.3.22-1.mga2
fetchmailconf-6.3.22-1.mga2
fetchmail-daemon-6.3.22-1.mga2
Comment 5 AL13N 2012-09-04 14:33:57 CEST
ok, that mga1 package is now also re-submitted
Comment 6 David Walser 2012-09-04 14:41:22 CEST
Advisory:
========================

Updated fetchmail packages fix security vulnerabilities:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
========================

Updated packages in core/updates_testing:
========================
fetchmail-6.3.22-1.mga1
fetchmailconf-6.3.22-1.mga1
fetchmail-daemon-6.3.22-1.mga1
fetchmail-6.3.22-1.mga2
fetchmailconf-6.3.22-1.mga2
fetchmail-daemon-6.3.22-1.mga2

from SRPMS:
fetchmail-6.3.22-1.mga1.src.rpm
fetchmail-6.3.22-1.mga2.src.rpm
Comment 7 Dave Hodgins 2012-09-06 21:15:04 CEST
I'll be testing this on both releases arches shortly.
Comment 8 Dave Hodgins 2012-09-07 03:09:01 CEST
Testing complete on Mageia 1 and 2, i586 and x86-64.

Could someone from the sysadmin team push the srpm
fetchmail-6.3.22-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
fetchmail-6.3.22-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated fetchmail packages fix security vulnerabilities:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
http://www.fetchmail.info/fetchmail-SA-2012-01.txt
http://www.fetchmail.info/fetchmail-SA-2012-02.txt
http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149

https://bugs.mageia.org/show_bug.cgi?id=7280
Comment 9 Thomas Backlund 2012-09-07 20:30:43 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0259

Note You need to log in before you can comment on or make changes to this bug.