DSA-1852-1 fetchmail -- insufficient input validationID: oval:org.secpod.oval:def:600383 | Date: (C)2011-05-13 (M)2022-10-10 |
Class: PATCH | Family: unix |
It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields. Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 or sslcertck sslproto tls1 For the oldstable distribution , this problem has been fixed in version 6.3.6-1etch2. For the stable distribution , this problem has been fixed in version 6.3.9~rc2-4+lenny1. For the testing distribution , this problem will be fixed soon. For the unstable distribution , this problem has been fixed in version 6.3.9~rc2-6. We recommend that you upgrade your fetchmail packages.
Platform: |
Debian 5.0 |
Debian 4.0 |