OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2007.004

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.004
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.004
Advisory Published:      2008-10-06 23:04 UTC

Issue Id (internal):     OpenPKG-SI-20070106.01
Issue First Created:     2007-01-06
Issue Last Modified:     2007-01-06
Issue Revision:          03


Subject Name:            Fetchmail
Subject Summary:         POP3/IMAP Batch Client
Subject Home:            http://fetchmail.berlios.de/
Subject Versions:        * <= 6.3.5

Vulnerability Id:        CVE-2006-5867, CVE-2006-5974
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           denial of service, exposure of sensitive
                         information

Description:
    According to vendor release notes [0] and security advisories
    [1][2], two security issues exist in the POP3/IMAP batch client
    Fetchmail [3], version up to and including 6.3.5. First, several
    password disclosure vulnerabilities exist because Fetchmail is using
    unsafe logins or omitting the necessary protection through SSL/TLS.
    Second, a Denial of Service (DoS) vulnerability exists because
    Fetchmail crashes during dereferencing the NULL page, when rejecting
    a message sent to an MDA.

References:
    [0] https://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=11977
    [1] http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
    [2] http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
    [3] http://fetchmail.berlios.de/


Primary Package Name:    fetchmail
Primary Package Home:    http://openpkg.org/go/package/fetchmail

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Enterprise       E1.0-SOLID        fetchmail-6.3.5-E1.0.0
OpenPKG Community        2-STABLE-20061018 fetchmail-6.3.5-2.20061018
OpenPKG Community        2-STABLE          fetchmail-6.3.5-2.20061222
OpenPKG Community        CURRENT           fetchmail-6.3.6-20061128

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        fetchmail-6.3.5-E1.0.1
OpenPKG Community        2-STABLE-20061018 fetchmail-6.3.6-2.20070106
OpenPKG Community        2-STABLE          fetchmail-6.3.6-2.20070106
OpenPKG Community        CURRENT           fetchmail-6.3.6-20070106

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG