Bug 515804 (CVE-2009-2666) - CVE-2009-2666 fetchmail: SSL null terminator bypass
Summary: CVE-2009-2666 fetchmail: SSL null terminator bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2666
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On: 516266 516267 516268 516269 516270 516275
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-05 19:18 UTC by Vincent Danen
Modified: 2019-09-29 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-19 16:41:42 UTC


Attachments (Terms of Use)
upstream patch (r5389) to correct the issue (untested) (8.36 KB, patch)
2009-08-05 19:22 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1427 normal SHIPPED_LIVE Moderate: fetchmail security update 2009-09-08 15:20:37 UTC

Description Vincent Danen 2009-08-05 19:18:03 UTC
Fetchmail suffers from a similar NULL terminator bypass in how it handles SSL certificates, as demonstrated with CVE-2009-2408.

The upstream svn repository [1] has been updated with a currently-untested patch (revision 5389), which I will attach in a moment.

[1] http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/

Comment 1 Vincent Danen 2009-08-05 19:22:56 UTC
Created attachment 356415 [details]
upstream patch (r5389) to correct the issue (untested)

Comment 2 Tomas Hoger 2009-08-06 06:31:20 UTC
Upstream released version 6.3.11 to address this flaw, upstream advisory:

http://www.fetchmail.info/fetchmail-SA-2009-01.txt

Comment 5 Fedora Update System 2009-08-19 10:48:42 UTC
fetchmail-6.3.8-9.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/fetchmail-6.3.8-9.fc10

Comment 6 Fedora Update System 2009-08-19 10:51:51 UTC
fetchmail-6.3.9-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/fetchmail-6.3.9-5.fc11

Comment 7 Fedora Update System 2009-09-04 04:05:20 UTC
fetchmail-6.3.9-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-09-04 04:07:58 UTC
fetchmail-6.3.8-9.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2009-09-08 15:20:53 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1427 https://rhn.redhat.com/errata/RHSA-2009-1427.html


Note You need to log in before you can comment on or make changes to this bug.