To: bugtraqsecurityfocus.com announcelists.caldera.com security-alertslinuxsecurity.com full-disclosurelists.netsys.com

______________________________________________________________________________

                        SCO Security Advisory

Subject: Linux: fetchmail remote vulnerabilities in multidrop mode
Advisory number: CSSA-2002-051.0
Issue date: 2002 November 21
Cross reference:
______________________________________________________________________________

1. Problem Description

        Several buffer overflows have been found in fetchmail. These
        bugs may be remotely exploited if fetchmail is running in
        multidrop mode.

2. Vulnerable Supported Versions

        System Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1.1 Workstation prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1 Server prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

        OpenLinux 3.1 Workstation prior to fetchmail-6.1.0-3.i386.rpm
                                        prior to fetchmailconf-6.1.0-3.i386.rpm

3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.

4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/RPMS

        4.2 Packages

        434fea1951a0d2f3b84aacef99c64406 fetchmail-6.1.0-3.i386.rpm
        f4a95f399c696a47d30cb42076a16537 fetchmailconf-6.1.0-3.i386.rpm

        4.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/SRPMS

        4.5 Source Packages

        4c7bc139f6e47d9971d65496e60a076b fetchmail-6.1.0-3.src.rpm

5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/RPMS

        5.2 Packages

        645cf83c0c1619d544a18b9ce5f9d075 fetchmail-6.1.0-3.i386.rpm
        cc9e945ccf9d649683a4f5dfca3b771a fetchmailconf-6.1.0-3.i386.rpm

        5.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/SRPMS

        5.5 Source Packages

        cb48bec8553df5c52f625ecad3a9411b fetchmail-6.1.0-3.src.rpm

6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/RPMS

        6.2 Packages

        65173695a1ed34351d66264d194612b7 fetchmail-6.1.0-3.i386.rpm
        00f87fcb9ce0d8b1253ccc0e10d488a6 fetchmailconf-6.1.0-3.i386.rpm

        6.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/SRPMS

        6.5 Source Packages

        4554b6c1ba5cc11ab5a0dae47c742605 fetchmail-6.1.0-3.src.rpm

7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/RPMS

        7.2 Packages

        84ef9db93e4e3ecf962332495efb4979 fetchmail-6.1.0-3.i386.rpm
        48b5987e053098ba15c9105386b9b32d fetchmailconf-6.1.0-3.i386.rpm

        7.3 Installation

        rpm -Fvh fetchmail-6.1.0-3.i386.rpm
        rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/SRPMS

        7.5 Source Packages

        9ee9d217103d8ca4b8ac97d6e7709a4d fetchmail-6.1.0-3.src.rpm

8. References

        Specific references for this advisory:

                http://security.e-matters.de/advisories/032002.html
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1174

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr869910, fz526231,
        erg712133.

9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

10. Acknowledgements

        Stefan Esser [s.essere-matters.de] discovered and researched
        these vulnerabilities.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj3dOMkACgkQbluZssSXDTGPQgCgjmlNCI+vLUDeI5zxiAsPVlRD
RmYAn1Kv4+x93f3E6tK3Q/up7qv7xWJB
=yzEf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]