Package name
fetchmail
Date
2009-12-04
Advisory ID
MDVSA-2009:201-1
Affected versions
2008.0 i586 , 2008.0 x86_64

Problem description

A vulnerability has been found and corrected in fetchmail:

socket.c in fetchmail before 6.3.11 does not properly handle a '\0'
(NUL) character in a domain name in the subject's Common Name (CN)
and subjectAlt(ernative)Name fields of an X.509 certificate, which
allows man-in-the-middle attackers to spoof arbitrary SSL servers via
a crafted certificate issued by a legitimate Certification Authority,
a related issue to CVE-2009-2408 (CVE-2009-2666).

This update provides a solution to this vulnerability.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

Updated packages

2008.0 i586

 3f4057bfc548c1dccf0d3f9bc4fe8f85  2008.0/i586/fetchmail-6.3.8-4.2mdv2008.0.i586.rpm
 76bf19b1f8772966c5044109c348da26  2008.0/i586/fetchmailconf-6.3.8-4.2mdv2008.0.i586.rpm
 e3e362ecde9e175a34d1df8d2188d59f  2008.0/i586/fetchmail-daemon-6.3.8-4.2mdv2008.0.i586.rpm 
 1822d2316b99f4ffaa18e482ed29c7f6  2008.0/SRPMS/fetchmail-6.3.8-4.2mdv2008.0.src.rpm

2008.0 x86_64

 a0f3f51fd21b8b002c55e7a189cfe4b4  2008.0/x86_64/fetchmail-6.3.8-4.2mdv2008.0.x86_64.rpm
 31842cc17128e39c0626c6ce49b2b1e8  2008.0/x86_64/fetchmailconf-6.3.8-4.2mdv2008.0.x86_64.rpm
 7291111ad2f72304f5611c67095bac5d  2008.0/x86_64/fetchmail-daemon-6.3.8-4.2mdv2008.0.x86_64.rpm 
 1822d2316b99f4ffaa18e482ed29c7f6  2008.0/SRPMS/fetchmail-6.3.8-4.2mdv2008.0.src.rpm

References