[Forgot Password]
Login  Register Subscribe

26408

 
 

132812

 
 

153620

 
 

909

 
 

123403

 
 

162

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-1852 fetchmail -- insufficient input validation

ID: oval:org.mitre.oval:def:8299Date: (C)2009-12-15   (M)2020-04-06
Class: PATCHFamily: unix




It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services)

Platform:
Debian 5.0
Debian 4.0
Product:
fetchmail
Reference:
DSA-1852
CVE-2009-2666
CVE    1
CVE-2009-2666
CPE    2
cpe:/o:debian:debian_linux:5.x
cpe:/o:debian:debian_linux:4.x

© SecPod Technologies