OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: OpenPKG (openpkg_at_openpkg.org)
Date: Tue Dec 17 2002 - 10:24:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-securityopenpkg.org openpkgopenpkg.org
    OpenPKG-SA-2002.016 17-Dec-2002
    ________________________________________________________________________

    Package: fetchmail
    Vulnerability: crashing or remote command execution
    OpenPKG Specific: no

    Dependent Packages: none

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG 1.0 <= fetchmail-5.9.5-1.0.0 >= fetchmail-5.9.5-1.0.1
    OpenPKG 1.1 <= fetchmail-5.9.13-1.1.0 >= fetchmail-5.9.13-1.1.1
    OpenPKG CURRENT <= fetchmail-6.1.3-20021128 >= fetchmail-6.2.0-20021213

    Description:
      The e-matters security team has reaudited Fetchmail and discovered a
      remote vulnerability [1] within the default install. Headers are
      searched for local addresses to append a and the hostname of the
      mailserver. The sizing of the buffer to store the modified addresses
      is too short by one character per address. This vulnerability allows
      crashing or remote code execution. Depending on the confiuration this
      can lead to a remote root compromise.

      Check whether you are affected by running "<prefix>/bin/rpm -q fetchmail".
      If you have an affected version of the fetchmail package (see above),
      please upgrade it according to the solution below.

    Solution:
      Update existing packages to newly patched versions of fetchmail. Select the
      updated source RPM appropriate for your OpenPKG release [2][3][4], and
      fetch it from the OpenPKG FTP service or a mirror location. Verify its
      integrity [5], build a corresponding binary RPM from it and update your
      OpenPKG installation by applying the binary RPM [6]. For the latest
      OpenPKG 1.1 release, perform the following operations to permanently fix
      the security problem (for other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.1/UPD
      ftp> get fetchmail-5.9.13-1.1.1.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm -v --checksig fetchmail-5.9.13-1.1.1.src.rpm
      $ <prefix>/bin/rpm --rebuild fetchmail-5.9.13-1.1.1.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/fetchmail-5.9.13-1.1.1.*.rpm
    ________________________________________________________________________

    References:
      [1] http://security.e-matters.de/advisories/052002.html
      [2] ftp://ftp.openpkg.org/release/1.0/UPD/
      [3] ftp://ftp.openpkg.org/release/1.1/UPD/
      [4] ftp://ftp.openpkg.org/current/SRC/
      [5] http://www.openpkg.org/security.html#signature
      [6] http://www.openpkg.org/tutorial.html#regular-source
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with
    the OpenPGP public key "OpenPKG <openpkgopenpkg.org>" (ID 63C4CB9F)
    of the OpenPKG project which you can find under the official URL
    http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
    check the integrity of this advisory, verify its digital signature by
    using GnuPG (http://www.gnupg.org/). For example, pipe this message to
    the command "gpg --verify --keyserver keyserver.pgp.com".
    ________________________________________________________________________
    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkgopenpkg.org>

    iEYEARECAAYFAj3/SiIACgkQgHWT4GPEy58OygCffa9srrGX6bLI3NuFXqXI1AIa
    dIsAoJwKFZSO0oAkSJr8WplNmiKtYS6S
    =BD0i
    -----END PGP SIGNATURE-----