Skip to navigation

Security Advisory Moderate: fetchmail security update

Advisory: RHSA-2007:0018-10
Type: Security Advisory
Severity: Moderate
Issued on: 2007-01-31
Last updated on: 2007-01-31
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2005-4348
CVE-2006-5867

Details

Updated fetchmail packages that fix two security issues are now available.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility.

A denial of service flaw was found when Fetchmail was run in multidrop
mode. A malicious mail server could send a message without headers which
would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect
the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.

A flaw was found in the way Fetchmail used TLS encryption to connect to
remote hosts. Fetchmail provided no way to enforce the use of TLS
encryption and would not authenticate POP3 protocol connections properly
(CVE-2006-5867). This update corrects this issue by enforcing TLS
encryption when the "sslproto" configuration directive is set to "tls1".

Users of Fetchmail should update to these packages, which contain
backported patches to correct these issues.

Note: This update may break configurations which assumed that Fetchmail
would use plain-text authentication if TLS encryption is not supported by
the POP3 server even if the "sslproto" directive is set to "tls1". If you
are using a custom configuration that depended on this behavior you will
need to modify your configuration appropriately after installing this update.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)

IA-32:
fetchmail-6.2.0-3.el3.3.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: d35be6f0a4f0e4b9a2fcdd134bf5da53
 
x86_64:
fetchmail-6.2.0-3.el3.3.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: d4ac2065f887e9ae72dda8aeedd697e7
 
Red Hat Desktop (v. 4)

SRPMS:
fetchmail-6.2.5-6.el4.5.src.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3c4f4b1ddbb6ce8ffc4d725e17acc9a7
 
IA-32:
fetchmail-6.2.5-6.el4.5.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3e2ab1a0a90e68e25290e834b9b3fc30
 
x86_64:
fetchmail-6.2.5-6.el4.5.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: 806adc07ed6a1ec9a3e24f59e9e143c9
 
Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.4.src.rpm
File outdated by:  RHSA-2007:0385
    MD5: fab2904aa98dfe5fe2eb75f6102b3732
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: e31563e2dfc8c932217bd1c7f7b1240b
fetchmailconf-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: 9a97eff50a8354245833c2a49e18ceda
 
IA-64:
fetchmail-5.9.0-21.7.3.el2.1.4.ia64.rpm
File outdated by:  RHSA-2007:0385
    MD5: c05a0909788b58915df9ba7123291719
fetchmailconf-5.9.0-21.7.3.el2.1.4.ia64.rpm
File outdated by:  RHSA-2007:0385
    MD5: 1c014f448b74cfec7b8ba41f6eca0b0c
 
Red Hat Enterprise Linux AS (v. 3)

IA-32:
fetchmail-6.2.0-3.el3.3.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: d35be6f0a4f0e4b9a2fcdd134bf5da53
 
IA-64:
fetchmail-6.2.0-3.el3.3.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: eb95e7909232fcc77c4ecf6ebd260580
 
PPC:
fetchmail-6.2.0-3.el3.3.ppc.rpm
File outdated by:  RHSA-2009:1427
    MD5: 057e6c3f061f3a745d9c53e182d152cb
 
s390:
fetchmail-6.2.0-3.el3.3.s390.rpm
File outdated by:  RHSA-2009:1427
    MD5: ccd9e8d06484c8a7ac748dfa46c0b8f2
 
s390x:
fetchmail-6.2.0-3.el3.3.s390x.rpm
File outdated by:  RHSA-2009:1427
    MD5: 7974a79684df3749e326b5a96b054616
 
x86_64:
fetchmail-6.2.0-3.el3.3.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: d4ac2065f887e9ae72dda8aeedd697e7
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
fetchmail-6.2.5-6.el4.5.src.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3c4f4b1ddbb6ce8ffc4d725e17acc9a7
 
IA-32:
fetchmail-6.2.5-6.el4.5.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3e2ab1a0a90e68e25290e834b9b3fc30
 
IA-64:
fetchmail-6.2.5-6.el4.5.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: ccc7ed6a3de49200aa3c86dd1919bb0a
 
PPC:
fetchmail-6.2.5-6.el4.5.ppc.rpm
File outdated by:  RHSA-2009:1427
    MD5: 9b781df3ade717d6276af0c922a13b22
 
s390:
fetchmail-6.2.5-6.el4.5.s390.rpm
File outdated by:  RHSA-2009:1427
    MD5: 62dcc2fed3115cafaedff2db94e35377
 
s390x:
fetchmail-6.2.5-6.el4.5.s390x.rpm
File outdated by:  RHSA-2009:1427
    MD5: 1e8b28798ad17fd9d498cfbd5e8f5820
 
x86_64:
fetchmail-6.2.5-6.el4.5.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: 806adc07ed6a1ec9a3e24f59e9e143c9
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.4.src.rpm
File outdated by:  RHSA-2007:0385
    MD5: fab2904aa98dfe5fe2eb75f6102b3732
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: e31563e2dfc8c932217bd1c7f7b1240b
fetchmailconf-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: 9a97eff50a8354245833c2a49e18ceda
 
Red Hat Enterprise Linux ES (v. 3)

IA-32:
fetchmail-6.2.0-3.el3.3.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: d35be6f0a4f0e4b9a2fcdd134bf5da53
 
IA-64:
fetchmail-6.2.0-3.el3.3.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: eb95e7909232fcc77c4ecf6ebd260580
 
x86_64:
fetchmail-6.2.0-3.el3.3.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: d4ac2065f887e9ae72dda8aeedd697e7
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
fetchmail-6.2.5-6.el4.5.src.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3c4f4b1ddbb6ce8ffc4d725e17acc9a7
 
IA-32:
fetchmail-6.2.5-6.el4.5.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3e2ab1a0a90e68e25290e834b9b3fc30
 
IA-64:
fetchmail-6.2.5-6.el4.5.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: ccc7ed6a3de49200aa3c86dd1919bb0a
 
x86_64:
fetchmail-6.2.5-6.el4.5.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: 806adc07ed6a1ec9a3e24f59e9e143c9
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.4.src.rpm
File outdated by:  RHSA-2007:0385
    MD5: fab2904aa98dfe5fe2eb75f6102b3732
 
IA-32:
fetchmail-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: e31563e2dfc8c932217bd1c7f7b1240b
fetchmailconf-5.9.0-21.7.3.el2.1.4.i386.rpm
File outdated by:  RHSA-2007:0385
    MD5: 9a97eff50a8354245833c2a49e18ceda
 
Red Hat Enterprise Linux WS (v. 3)

IA-32:
fetchmail-6.2.0-3.el3.3.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: d35be6f0a4f0e4b9a2fcdd134bf5da53
 
IA-64:
fetchmail-6.2.0-3.el3.3.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: eb95e7909232fcc77c4ecf6ebd260580
 
x86_64:
fetchmail-6.2.0-3.el3.3.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: d4ac2065f887e9ae72dda8aeedd697e7
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
fetchmail-6.2.5-6.el4.5.src.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3c4f4b1ddbb6ce8ffc4d725e17acc9a7
 
IA-32:
fetchmail-6.2.5-6.el4.5.i386.rpm
File outdated by:  RHSA-2009:1427
    MD5: 3e2ab1a0a90e68e25290e834b9b3fc30
 
IA-64:
fetchmail-6.2.5-6.el4.5.ia64.rpm
File outdated by:  RHSA-2009:1427
    MD5: ccc7ed6a3de49200aa3c86dd1919bb0a
 
x86_64:
fetchmail-6.2.5-6.el4.5.x86_64.rpm
File outdated by:  RHSA-2009:1427
    MD5: 806adc07ed6a1ec9a3e24f59e9e143c9
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
fetchmail-5.9.0-21.7.3.el2.1.4.src.rpm
File outdated by:  RHSA-2007:0385
    MD5: fab2904aa98dfe5fe2eb75f6102b3732
 
IA-64:
fetchmail-5.9.0-21.7.3.el2.1.4.ia64.rpm
File outdated by:  RHSA-2007:0385
    MD5: c05a0909788b58915df9ba7123291719
fetchmailconf-5.9.0-21.7.3.el2.1.4.ia64.rpm
File outdated by:  RHSA-2007:0385
    MD5: 1c014f448b74cfec7b8ba41f6eca0b0c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

176266 - CVE-2005-4348 Fetchmail DOS by malicious server in multidrop mode
221981 - CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly


References


Keywords

multidrop, POP3, TLS


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/