Package name
fetchmail
Date
2013-04-05
Advisory ID
MDVSA-2013:037
Affected versions
MBS1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in fetchmail:

Fetchmail version 6.3.9 enabled all SSL workarounds (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case (aka a BEAST attack)
(CVE-2011-3389).

A denial of service flaw was found in the way Fetchmail, a remote mail
retrieval and forwarding utility, performed base64 decoding of certain
NTLM server responses. Upon sending the NTLM authentication request,
Fetchmail did not check if the received response was actually part
of NTLM protocol exchange, or server-side error message and session
abort. A rogue NTML server could use this flaw to cause fetchmail
executable crash (CVE-2012-3482).

This advisory provides the latest version of fetchmail (6.3.22)
which is not vulnerable to these issues.

Updated packages

MBS1 x86_64

 c30dacec397667ad6058f3800f3aca2c  mbs1/x86_64/fetchmail-6.3.22-1.mbs1.x86_64.rpm
 bed6bf2974ebcb9ac9c8f5e2c2ee310b  mbs1/x86_64/fetchmailconf-6.3.22-1.mbs1.x86_64.rpm
 1750ed3c0d237c7ac4fcf6b98a7b1b21  mbs1/x86_64/fetchmail-daemon-6.3.22-1.mbs1.x86_64.rpm 
 dbd678a792ee058801ec35c7f99096a4  mbs1/SRPMS/fetchmail-6.3.22-1.mbs1.src.rpm

References