-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:201 http://www.mandriva.com/security/ _______________________________________________________________________ Package : fetchmail Date : August 12, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in fetchmail: socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2666). This update provides a solution to this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: fc0d6023667f27d8af4b3a016f3f45c3 2008.1/i586/fetchmail-6.3.8-7.2mdv2008.1.i586.rpm 283af95440b29e164c0e067ab8cda9f6 2008.1/i586/fetchmailconf-6.3.8-7.2mdv2008.1.i586.rpm 9a57ee9d58bbb701721386850835e3cd 2008.1/i586/fetchmail-daemon-6.3.8-7.2mdv2008.1.i586.rpm ae283a656063b3775dea3bba3fcd2e2e 2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 1a0e79540df37a5f9efa0bec42c62805 2008.1/x86_64/fetchmail-6.3.8-7.2mdv2008.1.x86_64.rpm 332ff34caeb4587367564b6b330bc6e4 2008.1/x86_64/fetchmailconf-6.3.8-7.2mdv2008.1.x86_64.rpm 5bffe9a0d2da5df6d23b6a17af1296b1 2008.1/x86_64/fetchmail-daemon-6.3.8-7.2mdv2008.1.x86_64.rpm ae283a656063b3775dea3bba3fcd2e2e 2008.1/SRPMS/fetchmail-6.3.8-7.2mdv2008.1.src.rpm Mandriva Linux 2009.0: 0e428279bf334dfe85c63ed25d8b3107 2009.0/i586/fetchmail-6.3.8-8.1mdv2009.0.i586.rpm 934c48761c1f7c9346ef6b77b809373c 2009.0/i586/fetchmailconf-6.3.8-8.1mdv2009.0.i586.rpm 702cecfcb0a901d8be9efd41d1c72093 2009.0/i586/fetchmail-daemon-6.3.8-8.1mdv2009.0.i586.rpm 3815db62ac4fed4c0dfdd62d7f55faad 2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 4bf00d7233d33c3fc5b796a46b759f43 2009.0/x86_64/fetchmail-6.3.8-8.1mdv2009.0.x86_64.rpm 44ac784cb13d21d5aeb1fe6bc18d4314 2009.0/x86_64/fetchmailconf-6.3.8-8.1mdv2009.0.x86_64.rpm 5dc1208126ed2eecccafb8ee766c4b34 2009.0/x86_64/fetchmail-daemon-6.3.8-8.1mdv2009.0.x86_64.rpm 3815db62ac4fed4c0dfdd62d7f55faad 2009.0/SRPMS/fetchmail-6.3.8-8.1mdv2009.0.src.rpm Mandriva Linux 2009.1: c29b9d8ed2c1f389ea0e7b14d9112e40 2009.1/i586/fetchmail-6.3.9-1.1mdv2009.1.i586.rpm fe9c24396112b32f190e72e1ecbcb616 2009.1/i586/fetchmailconf-6.3.9-1.1mdv2009.1.i586.rpm 878a6e3369a1bd540ace6a646e343e2b 2009.1/i586/fetchmail-daemon-6.3.9-1.1mdv2009.1.i586.rpm f976873519ff6ce77d58814988e589c7 2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 9d466fd1c5e560b04de4cfa17a0555e7 2009.1/x86_64/fetchmail-6.3.9-1.1mdv2009.1.x86_64.rpm 32044f61f34ebe3c85c562820d079fb6 2009.1/x86_64/fetchmailconf-6.3.9-1.1mdv2009.1.x86_64.rpm 9c39d74650b99cddaee5bf2963efa5b4 2009.1/x86_64/fetchmail-daemon-6.3.9-1.1mdv2009.1.x86_64.rpm f976873519ff6ce77d58814988e589c7 2009.1/SRPMS/fetchmail-6.3.9-1.1mdv2009.1.src.rpm Corporate 3.0: 81c21054df257729342c1c2482b49561 corporate/3.0/i586/fetchmail-6.2.5-3.8.C30mdk.i586.rpm 175c8bbbe91f06e139d919350809c3eb corporate/3.0/i586/fetchmailconf-6.2.5-3.8.C30mdk.i586.rpm fb333b7523f82e0be6883edeb1969373 corporate/3.0/i586/fetchmail-daemon-6.2.5-3.8.C30mdk.i586.rpm d23b19850a57b6ce9bc784a3eea14719 corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm Corporate 3.0/X86_64: 10b10cdd7d5aa881a0b5e84c4590500d corporate/3.0/x86_64/fetchmail-6.2.5-3.8.C30mdk.x86_64.rpm ce8d21859e640639b8ff20e15dd8ab41 corporate/3.0/x86_64/fetchmailconf-6.2.5-3.8.C30mdk.x86_64.rpm 0a05886e002ea8af4718df2d55b5d21d corporate/3.0/x86_64/fetchmail-daemon-6.2.5-3.8.C30mdk.x86_64.rpm d23b19850a57b6ce9bc784a3eea14719 corporate/3.0/SRPMS/fetchmail-6.2.5-3.8.C30mdk.src.rpm Corporate 4.0: 314fbbd74754d1793da2dc3945d2def4 corporate/4.0/i586/fetchmail-6.2.5-11.7.20060mlcs4.i586.rpm 0467a3805fe33b3b65ba3ab87c08f08d corporate/4.0/i586/fetchmailconf-6.2.5-11.7.20060mlcs4.i586.rpm 4ae72f7fef6a9f3f0d471b30148a1343 corporate/4.0/i586/fetchmail-daemon-6.2.5-11.7.20060mlcs4.i586.rpm c312a60acc88462068cc009b0a64202d corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm Corporate 4.0/X86_64: 4efd52fa2292696aff7558b9960d6818 corporate/4.0/x86_64/fetchmail-6.2.5-11.7.20060mlcs4.x86_64.rpm 63d83fbb6bc4f03312f4281570e9a996 corporate/4.0/x86_64/fetchmailconf-6.2.5-11.7.20060mlcs4.x86_64.rpm 5c59ca83d15643903845fc0cffb50cb4 corporate/4.0/x86_64/fetchmail-daemon-6.2.5-11.7.20060mlcs4.x86_64.rpm c312a60acc88462068cc009b0a64202d corporate/4.0/SRPMS/fetchmail-6.2.5-11.7.20060mlcs4.src.rpm Mandriva Enterprise Server 5: a123563848bc2978fcedef3b56217b93 mes5/i586/fetchmail-6.3.8-8.1mdvmes5.i586.rpm 721e88658496bddda0d866f22f2236c6 mes5/i586/fetchmailconf-6.3.8-8.1mdvmes5.i586.rpm 2874c2452d7c91d32145c017dfd0accf mes5/i586/fetchmail-daemon-6.3.8-8.1mdvmes5.i586.rpm bae980a9b813587c551389692134dcff mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: d509376c094787132d2e80349f0b8077 mes5/x86_64/fetchmail-6.3.8-8.1mdvmes5.x86_64.rpm b4fda79b6b9e5f517b5866ddab15daa9 mes5/x86_64/fetchmailconf-6.3.8-8.1mdvmes5.x86_64.rpm a3394da93cbfc359ed9bfccf20cc50e1 mes5/x86_64/fetchmail-daemon-6.3.8-8.1mdvmes5.x86_64.rpm bae980a9b813587c551389692134dcff mes5/SRPMS/fetchmail-6.3.8-8.1mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKgvT0mqjQ0CJFipgRAp3tAJ9GOtB4s6Kh2+U5YzMLe9qWarQMEgCfSQwv xKk5VxxrjYRfmbkZYaBGSd8= =oais -----END PGP SIGNATURE-----