MDVSA-2009:201-1
- Package name
- fetchmail
- Date
- 2009-12-04
- Advisory ID
- MDVSA-2009:201-1
- Affected versions
- 2008.0 i586 , 2008.0 x86_64
Problem description
A vulnerability has been found and corrected in fetchmail:
socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
(NUL) character in a domain name in the subject's Common Name (CN)
and subjectAlt(ernative)Name fields of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2666).
This update provides a solution to this vulnerability.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
Updated packages
2008.0 i586
3f4057bfc548c1dccf0d3f9bc4fe8f85 2008.0/i586/fetchmail-6.3.8-4.2mdv2008.0.i586.rpm 76bf19b1f8772966c5044109c348da26 2008.0/i586/fetchmailconf-6.3.8-4.2mdv2008.0.i586.rpm e3e362ecde9e175a34d1df8d2188d59f 2008.0/i586/fetchmail-daemon-6.3.8-4.2mdv2008.0.i586.rpm 1822d2316b99f4ffaa18e482ed29c7f6 2008.0/SRPMS/fetchmail-6.3.8-4.2mdv2008.0.src.rpm
2008.0 x86_64
a0f3f51fd21b8b002c55e7a189cfe4b4 2008.0/x86_64/fetchmail-6.3.8-4.2mdv2008.0.x86_64.rpm 31842cc17128e39c0626c6ce49b2b1e8 2008.0/x86_64/fetchmailconf-6.3.8-4.2mdv2008.0.x86_64.rpm 7291111ad2f72304f5611c67095bac5d 2008.0/x86_64/fetchmail-daemon-6.3.8-4.2mdv2008.0.x86_64.rpm 1822d2316b99f4ffaa18e482ed29c7f6 2008.0/SRPMS/fetchmail-6.3.8-4.2mdv2008.0.src.rpm