securitymandriva.com
Date: Fri Apr 05 2013 - 08:26:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory MDVSA-2013:037
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : fetchmail
 Date : April 5, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in fetchmail:
 
 Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
 contains a switch to disable a countermeasure against certain attacks
 against block ciphers that permit guessing the initialization vectors,
 providing that an attacker can make the application (fetchmail) encrypt
 some data for him -- which is not easily the case (aka a BEAST attack)
 (CVE-2011-3389).
 
 A denial of service flaw was found in the way Fetchmail, a remote mail
 retrieval and forwarding utility, performed base64 decoding of certain
 NTLM server responses. Upon sending the NTLM authentication request,
 Fetchmail did not check if the received response was actually part
 of NTLM protocol exchange, or server-side error message and session
 abort. A rogue NTML server could use this flaw to cause fetchmail
 executable crash (CVE-2012-3482).
 
 This advisory provides the latest version of fetchmail (6.3.22)
 which is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482
 http://www.fetchmail.info/fetchmail-SA-2012-01.txt
 http://www.fetchmail.info/fetchmail-SA-2012-02.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 c30dacec397667ad6058f3800f3aca2c mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm
 bed6bf2974ebcb9ac9c8f5e2c2ee310b mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm
 1750ed3c0d237c7ac4fcf6b98a7b1b21 mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm
 dbd678a792ee058801ec35c7f99096a4 mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi. The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security. You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRXqbdmqjQ0CJFipgRAogSAJ9P6bArt4G6h+nJ1sHhiZU+ek34IACeNNI7
lBFyD6n3zwBDXPHiHKCUh0Q=
=4YuR
-----END PGP SIGNATURE-----

------------=_1365168434-2161-234
Content-Type: text/plain; charset="UTF-8"; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympamandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

------------=_1365168434-2161-234--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]