Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2002-051.0] Linux: fetchmail remote vulnerabilities in multidrop mode

From: security () caldera com
Date: Thu, 21 Nov 2002 11:49:30 -0800
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: fetchmail remote vulnerabilities in multidrop mode
Advisory number:        CSSA-2002-051.0
Issue date:             2002 November 21
Cross reference:
______________________________________________________________________________


1. Problem Description

        Several buffer overflows have been found in fetchmail. These
        bugs may be remotely exploited if fetchmail is running in
        multidrop mode.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1 Server            prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1 Workstation       prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/RPMS

        4.2 Packages

        434fea1951a0d2f3b84aacef99c64406        fetchmail-6.1.0-3.i386.rpm
        f4a95f399c696a47d30cb42076a16537        fetchmailconf-6.1.0-3.i386.rpm

        4.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/SRPMS

        4.5 Source Packages

        4c7bc139f6e47d9971d65496e60a076b        fetchmail-6.1.0-3.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/RPMS

        5.2 Packages

        645cf83c0c1619d544a18b9ce5f9d075        fetchmail-6.1.0-3.i386.rpm
        cc9e945ccf9d649683a4f5dfca3b771a        fetchmailconf-6.1.0-3.i386.rpm

        5.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/SRPMS

        5.5 Source Packages

        cb48bec8553df5c52f625ecad3a9411b        fetchmail-6.1.0-3.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/RPMS

        6.2 Packages

        65173695a1ed34351d66264d194612b7        fetchmail-6.1.0-3.i386.rpm
        00f87fcb9ce0d8b1253ccc0e10d488a6        fetchmailconf-6.1.0-3.i386.rpm

        6.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/SRPMS

        6.5 Source Packages

        4554b6c1ba5cc11ab5a0dae47c742605        fetchmail-6.1.0-3.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/RPMS

        7.2 Packages

        84ef9db93e4e3ecf962332495efb4979        fetchmail-6.1.0-3.i386.rpm
        48b5987e053098ba15c9105386b9b32d        fetchmailconf-6.1.0-3.i386.rpm

        7.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/SRPMS

        7.5 Source Packages

        9ee9d217103d8ca4b8ac97d6e7709a4d        fetchmail-6.1.0-3.src.rpm


8. References

        Specific references for this advisory:

                http://security.e-matters.de/advisories/032002.html
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1174

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr869910, fz526231,
        erg712133.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        Stefan Esser [s.esser () e-matters de] discovered and researched
        these vulnerabilities.

______________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: