Security Advisory fetchmail security update

Advisory: RHSA-2005:640-08
Type: Security Advisory
Severity: Important
Issued on: 2005-07-25
Last updated on: 2005-07-25
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2005-2335

Details

Updated fetchmail packages that fix a security flaw are now available.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility.

A buffer overflow was discovered in fetchmail's POP3 client. A malicious
server could cause send a carefully crafted message UID and cause fetchmail
to crash or potentially execute arbitrary code as the user running
fetchmail. The Common Vulnerabilities and Exposures project assigned the
name CAN-2005-2335 to this issue.

Users of fetchmail should update to this erratum package which contains a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
fetchmail-6.2.0-3.el3.2.src.rpm
File outdated by:  RHSA-2009:1427		     f8cf96a663157fefaeb4fc6f1a8cf63d
 
IA-32:
fetchmail-6.2.0-3.el3.2.i386.rpm
File outdated by:  RHSA-2009:1427		     fdfe7a3616a60b838b55c2fa9e818ccf
 
x86_64:
fetchmail-6.2.0-3.el3.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     7bee2b44f864c4ffebdce96fce226d44
 
Red Hat Desktop (v. 4)
SRPMS:
fetchmail-6.2.5-6.el4.2.src.rpm
File outdated by:  RHSA-2009:1427		     74a78227b3e3f5b8a0c392ea1325a2d3
 
IA-32:
fetchmail-6.2.5-6.el4.2.i386.rpm
File outdated by:  RHSA-2009:1427		     07da83424466fe1f855de9c82beb230c
 
x86_64:
fetchmail-6.2.5-6.el4.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     c92a8b8909a1ec1c27cb011d1aa0b924
 
Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.1.src.rpm
File outdated by:  RHSA-2007:0385		     31686858a916ff3a956692767b54d069
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     858ca98c8dd78b81d166ef9e986d50aa
fetchmailconf-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     3b0de7ddec9b7baf8e483671cc134042
 
IA-64:
fetchmail-5.9.0-21.7.3.el2.1.1.ia64.rpm
File outdated by:  RHSA-2007:0385		     5119f1b228b5bf0bf68b7a4907f43c84
fetchmailconf-5.9.0-21.7.3.el2.1.1.ia64.rpm
File outdated by:  RHSA-2007:0385		     eead1136cdaae89c4af5be3e5af15ee5
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
fetchmail-6.2.0-3.el3.2.src.rpm
File outdated by:  RHSA-2009:1427		     f8cf96a663157fefaeb4fc6f1a8cf63d
 
IA-32:
fetchmail-6.2.0-3.el3.2.i386.rpm
File outdated by:  RHSA-2009:1427		     fdfe7a3616a60b838b55c2fa9e818ccf
 
IA-64:
fetchmail-6.2.0-3.el3.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     cd02da478c2e507e094b3581edf8768b
 
PPC:
fetchmail-6.2.0-3.el3.2.ppc.rpm
File outdated by:  RHSA-2009:1427		     5e47a6d1f8babd0005baa45378a8e40c
 
s390:
fetchmail-6.2.0-3.el3.2.s390.rpm
File outdated by:  RHSA-2009:1427		     d4b0e5c8bed708c6b3b2d8b00ba9262c
 
s390x:
fetchmail-6.2.0-3.el3.2.s390x.rpm
File outdated by:  RHSA-2009:1427		     4a5f2fb842e10f1886d5b33afead33a9
 
x86_64:
fetchmail-6.2.0-3.el3.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     7bee2b44f864c4ffebdce96fce226d44
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
fetchmail-6.2.5-6.el4.2.src.rpm
File outdated by:  RHSA-2009:1427		     74a78227b3e3f5b8a0c392ea1325a2d3
 
IA-32:
fetchmail-6.2.5-6.el4.2.i386.rpm
File outdated by:  RHSA-2009:1427		     07da83424466fe1f855de9c82beb230c
 
IA-64:
fetchmail-6.2.5-6.el4.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     289d48240464a4279b0774e79ebed25f
 
PPC:
fetchmail-6.2.5-6.el4.2.ppc.rpm
File outdated by:  RHSA-2009:1427		     6face3dff0e660e2d5eceb82150b371a
 
s390:
fetchmail-6.2.5-6.el4.2.s390.rpm
File outdated by:  RHSA-2009:1427		     c0227905c02d361963da67f1ed45db38
 
s390x:
fetchmail-6.2.5-6.el4.2.s390x.rpm
File outdated by:  RHSA-2009:1427		     96d83be40ae7081aa1dd73ff54f389d8
 
x86_64:
fetchmail-6.2.5-6.el4.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     c92a8b8909a1ec1c27cb011d1aa0b924
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.1.src.rpm
File outdated by:  RHSA-2007:0385		     31686858a916ff3a956692767b54d069
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     858ca98c8dd78b81d166ef9e986d50aa
fetchmailconf-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     3b0de7ddec9b7baf8e483671cc134042
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
fetchmail-6.2.0-3.el3.2.src.rpm
File outdated by:  RHSA-2009:1427		     f8cf96a663157fefaeb4fc6f1a8cf63d
 
IA-32:
fetchmail-6.2.0-3.el3.2.i386.rpm
File outdated by:  RHSA-2009:1427		     fdfe7a3616a60b838b55c2fa9e818ccf
 
IA-64:
fetchmail-6.2.0-3.el3.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     cd02da478c2e507e094b3581edf8768b
 
x86_64:
fetchmail-6.2.0-3.el3.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     7bee2b44f864c4ffebdce96fce226d44
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
fetchmail-6.2.5-6.el4.2.src.rpm
File outdated by:  RHSA-2009:1427		     74a78227b3e3f5b8a0c392ea1325a2d3
 
IA-32:
fetchmail-6.2.5-6.el4.2.i386.rpm
File outdated by:  RHSA-2009:1427		     07da83424466fe1f855de9c82beb230c
 
IA-64:
fetchmail-6.2.5-6.el4.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     289d48240464a4279b0774e79ebed25f
 
x86_64:
fetchmail-6.2.5-6.el4.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     c92a8b8909a1ec1c27cb011d1aa0b924
 
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.1.src.rpm
File outdated by:  RHSA-2007:0385		     31686858a916ff3a956692767b54d069
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     858ca98c8dd78b81d166ef9e986d50aa
fetchmailconf-5.9.0-21.7.3.el2.1.1.i386.rpm
File outdated by:  RHSA-2007:0385		     3b0de7ddec9b7baf8e483671cc134042
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
fetchmail-6.2.0-3.el3.2.src.rpm
File outdated by:  RHSA-2009:1427		     f8cf96a663157fefaeb4fc6f1a8cf63d
 
IA-32:
fetchmail-6.2.0-3.el3.2.i386.rpm
File outdated by:  RHSA-2009:1427		     fdfe7a3616a60b838b55c2fa9e818ccf
 
IA-64:
fetchmail-6.2.0-3.el3.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     cd02da478c2e507e094b3581edf8768b
 
x86_64:
fetchmail-6.2.0-3.el3.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     7bee2b44f864c4ffebdce96fce226d44
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
fetchmail-6.2.5-6.el4.2.src.rpm
File outdated by:  RHSA-2009:1427		     74a78227b3e3f5b8a0c392ea1325a2d3
 
IA-32:
fetchmail-6.2.5-6.el4.2.i386.rpm
File outdated by:  RHSA-2009:1427		     07da83424466fe1f855de9c82beb230c
 
IA-64:
fetchmail-6.2.5-6.el4.2.ia64.rpm
File outdated by:  RHSA-2009:1427		     289d48240464a4279b0774e79ebed25f
 
x86_64:
fetchmail-6.2.5-6.el4.2.x86_64.rpm
File outdated by:  RHSA-2009:1427		     c92a8b8909a1ec1c27cb011d1aa0b924
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.1.src.rpm
File outdated by:  RHSA-2007:0385		     31686858a916ff3a956692767b54d069
 
IA-64:
fetchmail-5.9.0-21.7.3.el2.1.1.ia64.rpm
File outdated by:  RHSA-2007:0385		     5119f1b228b5bf0bf68b7a4907f43c84
fetchmailconf-5.9.0-21.7.3.el2.1.1.ia64.rpm
File outdated by:  RHSA-2007:0385		     eead1136cdaae89c4af5be3e5af15ee5
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

163816 - CAN-2005-2335 fetchmail overflow from malicious pop3 server


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/