Miembros de
Boletines de Vulnerabilidades |
Denegación de servicio en Fetchmail |
|
Clasificación de la vulnerabilidad |
|
| Propiedad | Valor |
| Nivel de Confianza | Oficial |
| Impacto | Denegación de Servicio |
| Dificultad | Experto |
| Requerimientos del atacante | Acceso remoto sin cuenta a un servicio estandar |
Información sobre el sistema |
|
| Propiedad | Valor |
| Fabricante afectado | GNU/Linux |
| Software afectado |
Fechmail <6.3.1 Fechmail <6.2.5.5 |
Descripción |
|
|
Se ha descubierto una vulnerabilidad en las versiones anteriores a la 6.3.1 y a la 6.2.5.5 de Fetchmail. La vulnerabilidad se da en el manejo de mensajes sin cabeceras cuando Fetchmail está configurado en modo "multidrop", que pueden provocar que la aplicación intente dereferenciar un puntero nulo. La explotación de esta vulnerabilidad podría permitir a un atacante remoto provocar una situación de denegación de servicio de Fetchmail. |
|
Solución |
|
|
Si lo desea, aplique los mecanismos de actualización propios de su distribución, o bien baje las fuentes del software y compílelo usted mismo. Actualización de software Fechmail Fetchmail 6.3.1 Fetchmail 6.2.5.5 http://developer.berlios.de/project/showfiles.php?group_id=1824 Mandriva Linux Mandrakelinux 10.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/fetchmail-6.2.5-5.3.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/fetchmailconf-6.2.5-5.3.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/fetchmail-daemon-6.2.5-5.3.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/fetchmail-6.2.5-5.3.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/fetchmail-6.2.5-5.3.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/fetchmailconf-6.2.5-5.3.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/fetchmail-daemon-6.2.5-5.3.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/fetchmail-6.2.5-5.3.101mdk.src.rpm Corporate Server 3.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/fetchmail-6.2.5-3.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.3.C30mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/3.0/SRPMS/fetchmail-6.2.5-3.3.C30mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/fetchmail-6.2.5-3.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/fetchmailconf-6.2.5-3.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/RPMS/fetchmail-daemon-6.2.5-3.3.C30mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/3.0/SRPMS/fetchmail-6.2.5-3.3.C30mdk.src.rpm Mandrivalinux LE2005 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/fetchmail-6.2.5-10.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/fetchmailconf-6.2.5-10.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/RPMS/fetchmail-daemon-6.2.5-10.4.102mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.2/SRPMS/fetchmail-6.2.5-10.4.102mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/fetchmail-6.2.5-10.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/fetchmailconf-6.2.5-10.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/RPMS/fetchmail-daemon-6.2.5-10.4.102mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.2/SRPMS/fetchmail-6.2.5-10.4.102mdk.src.rpm Mandrivalinux 2006 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/fetchmail-6.2.5-11.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/fetchmailconf-6.2.5-11.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/fetchmail-daemon-6.2.5-11.2.20060mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/fetchmail-6.2.5-11.2.20060mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/fetchmail-6.2.5-11.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/fetchmailconf-6.2.5-11.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/fetchmail-daemon-6.2.5-11.2.20060mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/fetchmail-6.2.5-11.2.20060mdk.src.rpm Debian Debian Linux 3.1 Source http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4.dsc http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4.diff.gz http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz Architecture independent http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-ssl_6.2.5-12sarge4_all.deb http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.2.5-12sarge4_all.deb Alpha http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_alpha.deb AMD64 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_amd64.deb ARM http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_arm.deb Intel IA-32 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_i386.deb Intel IA-64 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_ia64.deb HP Precision http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_m68k.deb Big endian MIPS http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_mips.deb Little endian MIPS http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_mipsel.deb PowerPC http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_powerpc.deb IBM S/390 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_s390.deb Sun Sparc http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_sparc.deb Apple Mac OS X 10.3.9 Client http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&cat=1&platform=osx&method=sa/SecUpd2006-004Pan.dmg Mac OS X 10.3.9 Server http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat=1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg Mac OS X 10.4.7 Client (Intel) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&cat=1&platform=osx&method=sa/SecUpd2006-004Intel.dmg Mac OS X 10.4.7 Client (PPC) http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11233&cat=1&platform=osx&method=sa/SecUpd2006-004Ti.dmg Red Hat (RHSA-2007:0018-10) Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor https://rhn.redhat.com/ SGI Advanced Linux Environment 3 / RPM / Patch 10370 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/RPMS Advanced Linux Environment 3 / SRPM / Patch 10370 ftp://oss.sgi.com/projects/sgi_propack/download/3/updates/SRPMS |
|
Identificadores estándar |
|
| Propiedad | Valor |
| CVE | CVE-2005-4348 |
| BID | |
Recursos adicionales |
|
|
Fetchmail security announcement fetchmail-SA-2005-03 http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt Mandriva Security Advisory MDKSA-2005:236 http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:236 Debian Security Advisory (DSA 939-1) http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00012.html Apple Security Update (2006-004) http://docs.info.apple.com/article.html?artnum=304063 Red Hat Security Advisory (RHSA-2007:0018-10) https://rhn.redhat.com/errata/RHSA-2007:0018.html SGI Security Advisory (20070201-01-P) ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.asc |
|
Histórico de versiones |
||
| Versión | Comentario | Fecha |
| 1.0 | Aviso emitido | 2005-12-27 |
| 1.1 | Aviso emitido por Debian (DSA 939-1) | 2006-01-13 |
| 1.2 | Aviso emitido por Apple (2006-004) | 2006-08-02 |
| 1.3 | Aviso emitido por Red Hat (RHSA-2007:0018-10), Aviso emitido por SGI (20070201-01-P) | 2007-03-02 |