Red Hat Product Errata RHSA-2009:1427 - Security Advisory
Issued:
2009-09-08
Updated:
2009-09-08

RHSA-2009:1427 - Security Advisory

Synopsis

Moderate: fetchmail security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An updated fetchmail package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

Fetchmail is a remote mail retrieval and forwarding utility intended for
use over on-demand TCP/IP links, such as SLIP and PPP connections.

It was discovered that fetchmail is affected by the previously published
"null prefix attack", caused by incorrect handling of NULL characters in
X.509 certificates. If an attacker is able to get a carefully-crafted
certificate signed by a trusted Certificate Authority, the attacker could
use the certificate during a man-in-the-middle attack and potentially
confuse fetchmail into accepting it by mistake. (CVE-2009-2666)

A flaw was found in the way fetchmail handles rejections from a remote SMTP
server when sending warning mail to the postmaster. If fetchmail sent a
warning mail to the postmaster of an SMTP server and that SMTP server
rejected it, fetchmail could crash. (CVE-2007-4565)

A flaw was found in fetchmail. When fetchmail is run in double verbose
mode ("-v -v"), it could crash upon receiving certain, malformed mail
messages with long headers. A remote attacker could use this flaw to cause
a denial of service if fetchmail was also running in daemon mode ("-d").
(CVE-2008-2711)

Note: when using SSL-enabled services, it is recommended that the fetchmail
"--sslcertck" option be used to enforce strict SSL certificate checking.

All fetchmail users should upgrade to this updated package, which contains
backported patches to correct these issues. If fetchmail is running in
daemon mode, it must be restarted for this update to take effect (use the
"fetchmail --quit" command to stop the fetchmail process).

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 260601 - CVE-2007-4565 Fetchmail NULL pointer dereference
  • BZ - 451758 - CVE-2008-2711 fetchmail: Crash in large log messages in verbose mode
  • BZ - 515804 - CVE-2009-2666 fetchmail: SSL null terminator bypass

Red Hat Enterprise Linux Server 5

SRPM
fetchmail-6.3.6-1.1.el5_3.1.src.rpm SHA-256: 0182b141d970cad9d0c8a6b70f1d66a778481d24b7b0c08cbe3565473e9b7bde
x86_64
fetchmail-6.3.6-1.1.el5_3.1.x86_64.rpm SHA-256: 9be74495ee74983b80c4ca6ddf059b76ff2a7f6149a843a352ef9463955f18e7
ia64
fetchmail-6.3.6-1.1.el5_3.1.ia64.rpm SHA-256: 297e9b5728cfaa373ee3a0a5bbd2a7bd886df3b995932ab398e88c095e7c5df5
i386
fetchmail-6.3.6-1.1.el5_3.1.i386.rpm SHA-256: 9209e83c3d0271bc9136d5e7f25417d9a13e44fa8922d439b2071b24c28045e7

Red Hat Enterprise Linux Server 4

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
x86_64
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
ia64
fetchmail-6.2.5-6.0.1.el4_8.1.ia64.rpm SHA-256: e31e182c442be6555073e97e5d50f6b79ec22451d8ebeb9fac9b8cf289bf9abc
fetchmail-6.2.5-6.0.1.el4_8.1.ia64.rpm SHA-256: e31e182c442be6555073e97e5d50f6b79ec22451d8ebeb9fac9b8cf289bf9abc
i386
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.8

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
x86_64
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
ia64
fetchmail-6.2.5-6.0.1.el4_8.1.ia64.rpm SHA-256: e31e182c442be6555073e97e5d50f6b79ec22451d8ebeb9fac9b8cf289bf9abc
fetchmail-6.2.5-6.0.1.el4_8.1.ia64.rpm SHA-256: e31e182c442be6555073e97e5d50f6b79ec22451d8ebeb9fac9b8cf289bf9abc
i386
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79

Red Hat Enterprise Linux Workstation 5

SRPM
fetchmail-6.3.6-1.1.el5_3.1.src.rpm SHA-256: 0182b141d970cad9d0c8a6b70f1d66a778481d24b7b0c08cbe3565473e9b7bde
x86_64
fetchmail-6.3.6-1.1.el5_3.1.x86_64.rpm SHA-256: 9be74495ee74983b80c4ca6ddf059b76ff2a7f6149a843a352ef9463955f18e7
i386
fetchmail-6.3.6-1.1.el5_3.1.i386.rpm SHA-256: 9209e83c3d0271bc9136d5e7f25417d9a13e44fa8922d439b2071b24c28045e7

Red Hat Enterprise Linux Workstation 4

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
x86_64
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
ia64
fetchmail-6.2.5-6.0.1.el4_8.1.ia64.rpm SHA-256: e31e182c442be6555073e97e5d50f6b79ec22451d8ebeb9fac9b8cf289bf9abc
i386
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 4

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
x86_64
fetchmail-6.2.5-6.0.1.el4_8.1.x86_64.rpm SHA-256: c67df57fa0e955503145cdb363cb045ff4165b7a0fa3fafe5eba641afb997a43
i386
fetchmail-6.2.5-6.0.1.el4_8.1.i386.rpm SHA-256: 732d730c0f1c4f7f751c95233902fba24b9b7db49d865e41fbcdad69b4c6ad79

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
fetchmail-6.3.6-1.1.el5_3.1.src.rpm SHA-256: 0182b141d970cad9d0c8a6b70f1d66a778481d24b7b0c08cbe3565473e9b7bde
s390x
fetchmail-6.3.6-1.1.el5_3.1.s390x.rpm SHA-256: 8d6d8d4a9c1a6297720db2d254307d5a950f4a19db33e7fbd3ee2c254a76cd5c

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
s390x
fetchmail-6.2.5-6.0.1.el4_8.1.s390x.rpm SHA-256: 1dbe2da23945a76381f9d79d402a301991a746aac606e10680f8837cbe3841ee
s390
fetchmail-6.2.5-6.0.1.el4_8.1.s390.rpm SHA-256: a85ac259daddaeb7de455e008e3da2919dc45c94929f78e607d2268dbe3f4ec7

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.4

SRPM
s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.8

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
s390x
fetchmail-6.2.5-6.0.1.el4_8.1.s390x.rpm SHA-256: 1dbe2da23945a76381f9d79d402a301991a746aac606e10680f8837cbe3841ee
s390
fetchmail-6.2.5-6.0.1.el4_8.1.s390.rpm SHA-256: a85ac259daddaeb7de455e008e3da2919dc45c94929f78e607d2268dbe3f4ec7

Red Hat Enterprise Linux for Power, big endian 5

SRPM
fetchmail-6.3.6-1.1.el5_3.1.src.rpm SHA-256: 0182b141d970cad9d0c8a6b70f1d66a778481d24b7b0c08cbe3565473e9b7bde
ppc
fetchmail-6.3.6-1.1.el5_3.1.ppc.rpm SHA-256: 389c2872fd1cda1819e84911f436ea546ae3f8563bcc7ba22cf56f75fa90e600

Red Hat Enterprise Linux for Power, big endian 4

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
ppc
fetchmail-6.2.5-6.0.1.el4_8.1.ppc.rpm SHA-256: 7878042ce261a6f8590830838c5d7df2007ce4a37044a5b5a6c2cb7c3c3d4c90

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.4

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.8

SRPM
fetchmail-6.2.5-6.0.1.el4_8.1.src.rpm SHA-256: 36dcc53c2c7377a1aed735b0af62bafbf11d8705433276e254af87e958198f73
ppc
fetchmail-6.2.5-6.0.1.el4_8.1.ppc.rpm SHA-256: 7878042ce261a6f8590830838c5d7df2007ce4a37044a5b5a6c2cb7c3c3d4c90

Red Hat Enterprise Linux Server from RHUI 5

SRPM
fetchmail-6.3.6-1.1.el5_3.1.src.rpm SHA-256: 0182b141d970cad9d0c8a6b70f1d66a778481d24b7b0c08cbe3565473e9b7bde
x86_64
fetchmail-6.3.6-1.1.el5_3.1.x86_64.rpm SHA-256: 9be74495ee74983b80c4ca6ddf059b76ff2a7f6149a843a352ef9463955f18e7
i386
fetchmail-6.3.6-1.1.el5_3.1.i386.rpm SHA-256: 9209e83c3d0271bc9136d5e7f25417d9a13e44fa8922d439b2071b24c28045e7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.