fetchmail 6.3.22 has been released, fixing an issue as described on freecode: A security issue where a misinterpreted server response could allow DoS and data theft in NTLM authentication was fixed. This issue was reported as CVE-2012-3482. The false disabling of a countermeasure against plaintext attacks in block ciphers was fixed. Various other minor fixes were made. See also the ChangeLog: http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117
CC: (none) => alienWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => thierry.vignaud
Mandriva has issued an advisory for this today (September 1): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149
submitted 6.3.22 for 1/2/cauldron ... i couldn't easily get separate patches. Advisory can be identical to MDV's
There's a subrel in the Mageia 1 package, which makes it newer than the Mageia 2 and Cauldron packages. Please ask a sysadmin to remove it from Mageia 1 updates_testing and resubmit it without the subrel. Thanks.
For future reference, these are the packages from this SRPM: fetchmail-6.3.22-1.mga2 fetchmailconf-6.3.22-1.mga2 fetchmail-daemon-6.3.22-1.mga2
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
ok, that mga1 package is now also re-submitted
Advisory: ======================== Updated fetchmail packages fix security vulnerabilities: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case (aka a BEAST attack) (CVE-2011-3389). A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash (CVE-2012-3482). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482 http://www.fetchmail.info/fetchmail-SA-2012-01.txt http://www.fetchmail.info/fetchmail-SA-2012-02.txt http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149 ======================== Updated packages in core/updates_testing: ======================== fetchmail-6.3.22-1.mga1 fetchmailconf-6.3.22-1.mga1 fetchmail-daemon-6.3.22-1.mga1 fetchmail-6.3.22-1.mga2 fetchmailconf-6.3.22-1.mga2 fetchmail-daemon-6.3.22-1.mga2 from SRPMS: fetchmail-6.3.22-1.mga1.src.rpm fetchmail-6.3.22-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
I'll be testing this on both releases arches shortly.
CC: (none) => davidwhodgins
Testing complete on Mageia 1 and 2, i586 and x86-64. Could someone from the sysadmin team push the srpm fetchmail-6.3.22-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm fetchmail-6.3.22-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated fetchmail packages fix security vulnerabilities: Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case (aka a BEAST attack) (CVE-2011-3389). A denial of service flaw was found in the way Fetchmail, a remote mail retrieval and forwarding utility, performed base64 decoding of certain NTLM server responses. Upon sending the NTLM authentication request, Fetchmail did not check if the received response was actually part of NTLM protocol exchange, or server-side error message and session abort. A rogue NTML server could use this flaw to cause fetchmail executable crash (CVE-2012-3482). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482 http://www.fetchmail.info/fetchmail-SA-2012-01.txt http://www.fetchmail.info/fetchmail-SA-2012-02.txt http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=19117 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:149 https://bugs.mageia.org/show_bug.cgi?id=7280
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0259
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED