515804 – (CVE-2009-2666) CVE-2009-2666 fetchmail: SSL null terminator bypass

Bug 515804 (CVE-2009-2666) - CVE-2009-2666 fetchmail: SSL null terminator bypass

Summary: CVE-2009-2666 fetchmail: SSL null terminator bypass

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-2666
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:	516266 516267 516268 516269 516270 516275
Blocks:
TreeView+	depends on / blocked

Reported:	2009-08-05 19:18 UTC by Vincent Danen
Modified:	2019-09-29 12:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-19 16:41:42 UTC
Embargoed:

Attachments	(Terms of Use)
upstream patch (r5389) to correct the issue (untested) (8.36 KB, patch) 2009-08-05 19:22 UTC, Vincent Danen	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1427	0	normal	SHIPPED_LIVE	Moderate: fetchmail security update	2009-09-08 15:20:37 UTC

Description Vincent Danen 2009-08-05 19:18:03 UTC

Fetchmail suffers from a similar NULL terminator bypass in how it handles SSL certificates, as demonstrated with CVE-2009-2408.

The upstream svn repository [1] has been updated with a currently-untested patch (revision 5389), which I will attach in a moment.

[1] http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/

Comment 1 Vincent Danen 2009-08-05 19:22:56 UTC

Created attachment 356415 [details]
upstream patch (r5389) to correct the issue (untested)

Comment 2 Tomas Hoger 2009-08-06 06:31:20 UTC

Upstream released version 6.3.11 to address this flaw, upstream advisory:

http://www.fetchmail.info/fetchmail-SA-2009-01.txt

Comment 5 Fedora Update System 2009-08-19 10:48:42 UTC

fetchmail-6.3.8-9.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/fetchmail-6.3.8-9.fc10

Comment 6 Fedora Update System 2009-08-19 10:51:51 UTC

fetchmail-6.3.9-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/fetchmail-6.3.9-5.fc11

Comment 7 Fedora Update System 2009-09-04 04:05:20 UTC

fetchmail-6.3.9-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-09-04 04:07:58 UTC

fetchmail-6.3.8-9.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2009-09-08 15:20:53 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1427 https://rhn.redhat.com/errata/RHSA-2009-1427.html

Note You need to log in before you can comment on or make changes to this bug.