CVE-2005-4348
CVSS7.8
发布时间 :2005-12-20 19:03:00
修订时间 :2011-03-07 21:28:02
NMCOPS    

[原文]fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.


[CNNVD]Apple Mac OS X多个安全漏洞(CNNVD-200512-468)

        Apple Mac OS X是苹果家族机器所使用的操作系统。
        最新的Mac OS X更新修复了多个漏洞,具体如下:
        CVE-2006-1472
        AFP Server中的漏洞允许在搜索结果中包含执行搜索用户无权访问的文件和文件夹。如果文件名本身就是敏感信息的话,就可能导致信息泄露;如果权限允许的话,攻击者还可以访问文件内容。
        CVE-2006-1473
        已认证用户可以触发AFP Server中的整数溢出漏洞,导致拒绝服务或以系统权限执行任意代码。AFP Server在Mac OS X中不是默认启用的。
        CVE-2006-3495
        在Mac OS X Server上,AFP Server支持在网络断开后重新连接文件共享会话。重新连接密钥的存储是完全可读的,因此通过认证的本地用户就可以读取该密钥,扮演为AFP上的其他用户,并以所扮演用户的权限访问文件或文件夹。
        CVE-2006-3496
        攻击者可以通过特制的无效AFP请求触发AFP Server中的拒绝服务。
        CVE-2006-3497
        Bom的压缩状态处理可能导致堆破坏。攻击者可以创建特制的Zip文档并诱骗用户打开来触发这个漏洞,导致应用程序崩溃或执行任意代码。
        CVE-2006-3498
        bootpd的请求处理中存在栈溢出。远程攻击者可以通过特制的BOOTP请求触发这个漏洞,导致以系统权限执行任意代码。bootpd在Mac OS X上不是默认启用的,必须手动配置。
        CVE-2006-3499
        恶意的本地用户可以指定动态连接器选项,导致标准错误输出。这种输出包含有敏感内容或用户指定的内容,因此解析或重新使用标准错误的特权应用程序可能受到不良的影响。
        CVE-2006-3500
        在搜索加载到特权应用程序的函数库时没有正确的处理动态连接器,可能导致包含危险的路径,这样恶意的本地用户就可以导致加载动态连接器,以提升的权限执行任意代码。
        CVE-2006-0392
        攻击者可以通过特制的Canon RAW图形触发溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3501
        攻击者可以通过特制的Radiance图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3502
        攻击者可以通过特制的GIF图形触发内存分配失败,导致应用程序崩溃或执行任意代码。
        CVE-2006-3503
        攻击者可以通过特制的GIF图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3504
        下载验证可能将某些包含有HTML的文件错误的识别为"安全"。如果在Safari中下载了这样的文件且Safari的"下载后打开安全的文件"选项已启用,则就会从本地URI自动打开HTML文档,允许文档中嵌入的JavaScript代码绕过访问限制。
        CVE-2006-0393
        如果使用不存在的帐号试图登录到OpenSSH Server的话就会导致认证进程挂起。攻击者可以利用这种行为检测是否存在特定的帐号,大量的尝试还可以导致拒绝服务。
        CVE-2006-3505
        特制的HTML文档可能导致访问之前已解除分配的对象,造成应用程序崩溃或执行任意代码。
        此外,这个更新还修复了其他一些第三方产品中的多个漏洞。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/a:fetchmail:fetchmail:6.1.0Fetchmail 6.1.0
cpe:/a:fetchmail:fetchmail:5.2.1Fetchmail 5.2.1
cpe:/a:fetchmail:fetchmail:6.2.0Fetchmail 6.2.0
cpe:/a:fetchmail:fetchmail:4.7.7Fetchmail 4.7.7
cpe:/a:fetchmail:fetchmail:5.4.5Fetchmail 5.4.5
cpe:/a:fetchmail:fetchmail:5.5.0Fetchmail 5.5.0
cpe:/a:fetchmail:fetchmail:4.6.8Fetchmail 4.6.8
cpe:/a:fetchmail:fetchmail:6.3.0Fetchmail 6.3.0
cpe:/a:fetchmail:fetchmail:6.2.6:pre8Fetchmail 6.2.6 pre8
cpe:/a:fetchmail:fetchmail:5.0.6Fetchmail 5.0.6
cpe:/a:fetchmail:fetchmail:6.2.9:rc3Fetchmail 6.2.9 release candidate 3
cpe:/a:fetchmail:fetchmail:5.1.0Fetchmail 5.1.0
cpe:/a:fetchmail:fetchmail:4.7.2Fetchmail 4.7.2
cpe:/a:fetchmail:fetchmail:5.8.13Fetchmail 5.8.13
cpe:/a:fetchmail:fetchmail:6.2.6:pre9Fetchmail 6.2.6 pre9
cpe:/a:fetchmail:fetchmail:6.2.5.4Fetchmail 6.2.5.4
cpe:/a:fetchmail:fetchmail:6.2.2Fetchmail 6.2.2
cpe:/a:fetchmail:fetchmail:5.9.5Fetchmail 5.9.5
cpe:/a:fetchmail:fetchmail:4.7.5Fetchmail 4.7.5
cpe:/a:fetchmail:fetchmail:5.0.3Fetchmail 5.0.3
cpe:/a:fetchmail:fetchmail:5.9.0Fetchmail 5.9.0
cpe:/a:fetchmail:fetchmail:5.9.11Fetchmail 5.9.11
cpe:/a:fetchmail:fetchmail:5.2.0Fetchmail 5.2.0
cpe:/a:fetchmail:fetchmail:5.8.11Fetchmail 5.8.11
cpe:/a:fetchmail:fetchmail:4.5.5Fetchmail 4.5.5
cpe:/a:fetchmail:fetchmail:6.1.3Fetchmail 6.1.3
cpe:/a:fetchmail:fetchmail:5.9.4Fetchmail 5.9.4
cpe:/a:fetchmail:fetchmail:4.6.4Fetchmail 4.6.4
cpe:/a:fetchmail:fetchmail:4.5.7Fetchmail 4.5.7
cpe:/a:fetchmail:fetchmail:5.2.3Fetchmail 5.2.3
cpe:/a:fetchmail:fetchmail:4.5.6Fetchmail 4.5.6
cpe:/a:fetchmail:fetchmail:5.1.4Fetchmail 5.1.4
cpe:/a:fetchmail:fetchmail:5.5.6Fetchmail 5.5.6
cpe:/a:fetchmail:fetchmail:5.0.1Fetchmail 5.0.1
cpe:/a:fetchmail:fetchmail:4.7.3Fetchmail 4.7.3
cpe:/a:fetchmail:fetchmail:5.9.13Fetchmail 5.9.13
cpe:/a:fetchmail:fetchmail:5.3.1Fetchmail 5.3.1
cpe:/a:fetchmail:fetchmail:5.3.8Fetchmail 5.3.8
cpe:/a:fetchmail:fetchmail:6.2.9:rc10Fetchmail 6.2.9 release candidate 10
cpe:/a:fetchmail:fetchmail:4.6.3Fetchmail 4.6.3
cpe:/a:fetchmail:fetchmail:6.2.9:rc5Fetchmail 6.2.9 release candidate 5
cpe:/a:fetchmail:fetchmail:6.2.9:rc8Fetchmail 6.2.9 release candidate 8
cpe:/a:fetchmail:fetchmail:4.6.6Fetchmail 4.6.6
cpe:/a:fetchmail:fetchmail:4.6.5Fetchmail 4.6.5
cpe:/a:fetchmail:fetchmail:4.6.7Fetchmail 4.6.7
cpe:/a:fetchmail:fetchmail:6.2.3Fetchmail 6.2.3
cpe:/a:fetchmail:fetchmail:6.2.5.2Fetchmail 6.2.5.2
cpe:/a:fetchmail:fetchmail:5.3.3Fetchmail 5.3.3
cpe:/a:fetchmail:fetchmail:5.7.2Fetchmail 5.7.2
cpe:/a:fetchmail:fetchmail:5.8.17Fetchmail 5.8.17
cpe:/a:fetchmail:fetchmail:5.8.6Fetchmail 5.8.6
cpe:/a:fetchmail:fetchmail:6.2.4Fetchmail 6.2.4
cpe:/a:fetchmail:fetchmail:5.4.0Fetchmail 5.4.0
cpe:/a:fetchmail:fetchmail:4.6.1Fetchmail 4.6.1
cpe:/a:fetchmail:fetchmail:5.5.3Fetchmail 5.5.3
cpe:/a:fetchmail:fetchmail:4.7.6Fetchmail 4.7.6
cpe:/a:fetchmail:fetchmail:5.0.0Fetchmail 5.0.0
cpe:/a:fetchmail:fetchmail:5.8.4Fetchmail 5.8.4
cpe:/a:fetchmail:fetchmail:6.2.6:pre4Fetchmail 6.2.6 pre4
cpe:/a:fetchmail:fetchmail:4.5.3Fetchmail 4.5.3
cpe:/a:fetchmail:fetchmail:5.9.8Fetchmail 5.9.8
cpe:/a:fetchmail:fetchmail:4.6.0Fetchmail 4.6.0
cpe:/a:fetchmail:fetchmail:4.5.2Fetchmail 4.5.2
cpe:/a:fetchmail:fetchmail:4.6.9Fetchmail 4.6.9
cpe:/a:fetchmail:fetchmail:6.2.9:rc4Fetchmail 6.2.9 release candidate 4
cpe:/a:fetchmail:fetchmail:4.7.4Fetchmail 4.7.4
cpe:/a:fetchmail:fetchmail:5.9.10Fetchmail 5.9.10
cpe:/a:fetchmail:fetchmail:5.6.0Fetchmail 5.6.0
cpe:/a:fetchmail:fetchmail:5.0.7Fetchmail 5.0.7
cpe:/a:fetchmail:fetchmail:4.5.1Fetchmail 4.5.1
cpe:/a:fetchmail:fetchmail:4.6.2Fetchmail 4.6.2
cpe:/a:fetchmail:fetchmail:5.3.0Fetchmail 5.3.0
cpe:/a:fetchmail:fetchmail:6.2.1Fetchmail 6.2.1
cpe:/a:fetchmail:fetchmail:5.8.14Fetchmail 5.8.14
cpe:/a:fetchmail:fetchmail:6.2.5Fetchmail 6.2.5
cpe:/a:fetchmail:fetchmail:4.5.4Fetchmail 4.5.4
cpe:/a:fetchmail:fetchmail:5.8.5Fetchmail 5.8.5
cpe:/a:fetchmail:fetchmail:5.0.5Fetchmail 5.0.5
cpe:/a:fetchmail:fetchmail:4.5.8Fetchmail 4.5.8
cpe:/a:fetchmail:fetchmail:5.0.2Fetchmail 5.0.2
cpe:/a:fetchmail:fetchmail:5.5.5Fetchmail 5.5.5
cpe:/a:fetchmail:fetchmail:6.2.9:rc7Fetchmail 6.2.9 release candidate 7
cpe:/a:fetchmail:fetchmail:5.7.0Fetchmail 5.7.0
cpe:/a:fetchmail:fetchmail:5.2.8Fetchmail 5.2.8
cpe:/a:fetchmail:fetchmail:5.4.3Fetchmail 5.4.3
cpe:/a:fetchmail:fetchmail:5.8.2Fetchmail 5.8.2
cpe:/a:fetchmail:fetchmail:6.2.9:rc9Fetchmail 6.2.9 release candidate 9
cpe:/a:fetchmail:fetchmail:5.7.4Fetchmail 5.7.4
cpe:/a:fetchmail:fetchmail:5.2.4Fetchmail 5.2.4
cpe:/a:fetchmail:fetchmail:6.0.0Fetchmail 6.0.0
cpe:/a:fetchmail:fetchmail:5.8Fetchmail 5.8
cpe:/a:fetchmail:fetchmail:4.7.1Fetchmail 4.7.1
cpe:/a:fetchmail:fetchmail:6.2.5.1Fetchmail 6.2.5.1
cpe:/a:fetchmail:fetchmail:5.5.2Fetchmail 5.5.2
cpe:/a:fetchmail:fetchmail:5.4.4Fetchmail 5.4.4
cpe:/a:fetchmail:fetchmail:5.0.8Fetchmail 5.0.8
cpe:/a:fetchmail:fetchmail:4.7.0Fetchmail 4.7.0
cpe:/a:fetchmail:fetchmail:5.0.4Fetchmail 5.0.4
cpe:/a:fetchmail:fetchmail:5.8.3Fetchmail 5.8.3
cpe:/a:fetchmail:fetchmail:5.2.7Fetchmail 5.2.7
cpe:/a:fetchmail:fetchmail:5.8.1Fetchmail 5.8.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9659fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (applica...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4348
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-468
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/17891
(VENDOR_ADVISORY)  SECUNIA  17891
http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
(VENDOR_ADVISORY)  CONFIRM  http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
http://xforce.iss.net/xforce/xfdb/23713
(UNKNOWN)  XF  fetchmail-null-pointer-dos(23713)
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:236
(UNKNOWN)  MANDRIVA  MDKSA-2005:236
http://www.vupen.com/english/advisories/2006/3101
(UNKNOWN)  VUPEN  ADV-2006-3101
http://www.vupen.com/english/advisories/2005/2996
(UNKNOWN)  VUPEN  ADV-2005-2996
http://www.ubuntulinux.org/support/documentation/usn/usn-233-1
(UNKNOWN)  UBUNTU  USN-233-1
http://www.trustix.org/errata/2006/0002/
(UNKNOWN)  TRUSTIX  2006-0002
http://www.securityfocus.com/bid/19289
(UNKNOWN)  BID  19289
http://www.securityfocus.com/bid/15987
(UNKNOWN)  BID  15987
http://www.securityfocus.com/archive/1/archive/1/435197/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060526 rPSA-2006-0084-1 fetchmail
http://www.securityfocus.com/archive/1/archive/1/420098/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051221 fetchmail security announcement fetchmail-SA-2005-03 (CVE-2005-4348)
http://www.redhat.com/support/errata/RHSA-2007-0018.html
(UNKNOWN)  REDHAT  RHSA-2007:0018
http://www.osvdb.org/21906
(UNKNOWN)  OSVDB  21906
http://www.novell.com/linux/security/advisories/2007_4_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2007:004
http://www.debian.org/security/2005/dsa-939
(UNKNOWN)  DEBIAN  DSA-939
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.443499
(UNKNOWN)  SLACKWARE  SSA:2006-045-01
http://securitytracker.com/id?1015383
(UNKNOWN)  SECTRACK  1015383
http://secunia.com/advisories/24284
(VENDOR_ADVISORY)  SECUNIA  24284
http://secunia.com/advisories/24007
(VENDOR_ADVISORY)  SECUNIA  24007
http://secunia.com/advisories/21253
(VENDOR_ADVISORY)  SECUNIA  21253
http://secunia.com/advisories/18895
(VENDOR_ADVISORY)  SECUNIA  18895
http://secunia.com/advisories/18463
(VENDOR_ADVISORY)  SECUNIA  18463
http://secunia.com/advisories/18433
(VENDOR_ADVISORY)  SECUNIA  18433
http://secunia.com/advisories/18266
(VENDOR_ADVISORY)  SECUNIA  18266
http://secunia.com/advisories/18231
(VENDOR_ADVISORY)  SECUNIA  18231
http://secunia.com/advisories/18172
(VENDOR_ADVISORY)  SECUNIA  18172
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343836
(UNKNOWN)  MISC  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343836
ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.asc
(UNKNOWN)  SGI  20070201-01-P

- 漏洞信息

Apple Mac OS X多个安全漏洞
高危 其他
2005-12-20 00:00:00 2006-09-05 00:00:00
远程  
        Apple Mac OS X是苹果家族机器所使用的操作系统。
        最新的Mac OS X更新修复了多个漏洞,具体如下:
        CVE-2006-1472
        AFP Server中的漏洞允许在搜索结果中包含执行搜索用户无权访问的文件和文件夹。如果文件名本身就是敏感信息的话,就可能导致信息泄露;如果权限允许的话,攻击者还可以访问文件内容。
        CVE-2006-1473
        已认证用户可以触发AFP Server中的整数溢出漏洞,导致拒绝服务或以系统权限执行任意代码。AFP Server在Mac OS X中不是默认启用的。
        CVE-2006-3495
        在Mac OS X Server上,AFP Server支持在网络断开后重新连接文件共享会话。重新连接密钥的存储是完全可读的,因此通过认证的本地用户就可以读取该密钥,扮演为AFP上的其他用户,并以所扮演用户的权限访问文件或文件夹。
        CVE-2006-3496
        攻击者可以通过特制的无效AFP请求触发AFP Server中的拒绝服务。
        CVE-2006-3497
        Bom的压缩状态处理可能导致堆破坏。攻击者可以创建特制的Zip文档并诱骗用户打开来触发这个漏洞,导致应用程序崩溃或执行任意代码。
        CVE-2006-3498
        bootpd的请求处理中存在栈溢出。远程攻击者可以通过特制的BOOTP请求触发这个漏洞,导致以系统权限执行任意代码。bootpd在Mac OS X上不是默认启用的,必须手动配置。
        CVE-2006-3499
        恶意的本地用户可以指定动态连接器选项,导致标准错误输出。这种输出包含有敏感内容或用户指定的内容,因此解析或重新使用标准错误的特权应用程序可能受到不良的影响。
        CVE-2006-3500
        在搜索加载到特权应用程序的函数库时没有正确的处理动态连接器,可能导致包含危险的路径,这样恶意的本地用户就可以导致加载动态连接器,以提升的权限执行任意代码。
        CVE-2006-0392
        攻击者可以通过特制的Canon RAW图形触发溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3501
        攻击者可以通过特制的Radiance图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3502
        攻击者可以通过特制的GIF图形触发内存分配失败,导致应用程序崩溃或执行任意代码。
        CVE-2006-3503
        攻击者可以通过特制的GIF图形触发整数溢出,导致应用程序崩溃或执行任意代码。
        CVE-2006-3504
        下载验证可能将某些包含有HTML的文件错误的识别为"安全"。如果在Safari中下载了这样的文件且Safari的"下载后打开安全的文件"选项已启用,则就会从本地URI自动打开HTML文档,允许文档中嵌入的JavaScript代码绕过访问限制。
        CVE-2006-0393
        如果使用不存在的帐号试图登录到OpenSSH Server的话就会导致认证进程挂起。攻击者可以利用这种行为检测是否存在特定的帐号,大量的尝试还可以导致拒绝服务。
        CVE-2006-3505
        特制的HTML文档可能导致访问之前已解除分配的对象,造成应用程序崩溃或执行任意代码。
        此外,这个更新还修复了其他一些第三方产品中的多个漏洞。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat=1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&cat=1&platform=osx&method=sa/SecUpd2006-004Pan.dmg
        http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&cat=1&platform=osx&method=sa/SecUpd2006-004Intel.dmg

- 漏洞信息 (F43090)

Debian Linux Security Advisory 939-1 (PacketStormID:F43090)
2006-01-15 00:00:00
Debian  debian.org
advisory,imap
linux,debian
CVE-2005-4348
[点击下载]

Debian Security Advisory DSA 939-1 - Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 939-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 13th, 2006                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : fetchmail
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2005-4348

Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3,
APOP, IMAP mail gatherer/forwarder, that can cause a crash when the
program is running in multidrop mode and receives messages without
headers.

The old stable distribution (woody) does not seem to be affected by
this problem.

For the stable distribution (sarge) this problem has been fixed in
version 6.2.5-12sarge4.

For the unstable distribution (sid) this problem has been fixed in
version 6.3.1-1.

We recommend that you upgrade your fetchmail package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4.dsc
      Size/MD5 checksum:      650 da6a5aa9e110932fb67071233c390fa2
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4.diff.gz
      Size/MD5 checksum:   150807 6ccb7da887a4b42997e08ef27fbebf55
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5 checksum:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent components:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-ssl_6.2.5-12sarge4_all.deb
      Size/MD5 checksum:    42234 7f4fae48064a57eae406d72676ab0e54
    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.2.5-12sarge4_all.deb
      Size/MD5 checksum:   101308 1d2a6d40b517a3fc447e2f2d30319fbf

  Alpha architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_alpha.deb
      Size/MD5 checksum:   572964 d87d2f1dd059d0aa4854253405c7fdc3

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_amd64.deb
      Size/MD5 checksum:   555706 9b819cf25859874a1a37585eed8664d6

  ARM architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_arm.deb
      Size/MD5 checksum:   549176 ae3b2abd6c4408c8be07a8a8065cd2ab

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_i386.deb
      Size/MD5 checksum:   547692 3bc3343f756f1fea4bc7b731cc6e2fed

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_ia64.deb
      Size/MD5 checksum:   597004 c1f497a0ac9ba4f04ab31e1ad66ff729

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_hppa.deb
      Size/MD5 checksum:   561572 cbc31b2ececa0e02ec1a2fa6bc02c019

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_m68k.deb
      Size/MD5 checksum:   537914 1ac30118a80e1b516fbdcaf9e53f3264

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_mips.deb
      Size/MD5 checksum:   556594 6704277ba1a9b9706e6e921ee76e0931

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_mipsel.deb
      Size/MD5 checksum:   556424 f82021920ac82e2126580a3f594953a1

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_powerpc.deb
      Size/MD5 checksum:   556180 b72003c6bbec3bfeeeade4bc94b2f7ff

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_s390.deb
      Size/MD5 checksum:   554496 90790158afe5fb2f5da3eafdfb6d5874

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge4_sparc.deb
      Size/MD5 checksum:   549094 d1533c572fe845b7e49e88fb40acf0fb


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDx2eMW5ql+IAeqTIRAvaQAJ42FSGgy4UKbIEHYuGc/AHi0c0WXQCfQL4r
j4/jMdvhlbB+Bo4nAhny02A=
=qIRF
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F42751)

Ubuntu Security Notice 233-1 (PacketStormID:F42751)
2006-01-03 00:00:00
Ubuntu  security.ubuntu.com
advisory,remote,denial of service
linux,ubuntu
CVE-2005-4348
[点击下载]

Ubuntu Security Notice USN-233-1 - Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in 'multidrop' mode, a malicious email server could cause a crash by sending an email without any headers.

===========================================================
Ubuntu Security Notice USN-233-1	   January 02, 2006
fetchmail vulnerability
CVE-2005-4348
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

fetchmail

The problem can be corrected by upgrading the affected package to
version 6.2.5-8ubuntu2.3 (for Ubuntu 4.10), 6.2.5-12ubuntu1.3 (for
Ubuntu 5.04), or 6.2.5-13ubuntu3.2 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Steve Fosdick discovered a remote Denial of Service vulnerability in
fetchmail. When using fetchmail in 'multidrop' mode, a malicious email
server could cause a crash by sending an email without any headers.
Since fetchmail is commonly called automatically (with cron, for
example), this crash could go unnoticed.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3.diff.gz
      Size/MD5:   151315 a832d3536f810689cfb51904577afe31
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3.dsc
      Size/MD5:      656 90dd7402e4cec15abe0bf45e6c274503
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-12ubuntu1.3_all.deb
      Size/MD5:    42434 a7ef705546ce8f4e603075f39a6dde4b
    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-12ubuntu1.3_all.deb
      Size/MD5:   101538 389cd71986280ab56fcbba0e404604f6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_amd64.deb
      Size/MD5:   297028 067506bbeffaadd42306539a4997e370

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_i386.deb
      Size/MD5:   286240 d5c068f89b48562716e016450e2248df

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-12ubuntu1.3_powerpc.deb
      Size/MD5:   296246 544f5b58795c986c7a252cc2e2a8727f

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3.diff.gz
      Size/MD5:   137257 f0ceaf752282a062c999b384b8b7ff55
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3.dsc
      Size/MD5:      639 85458cbf69ba7f067527d80ac7ceb4b3
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-8ubuntu2.3_all.deb
      Size/MD5:   101674 8a30c5316f2ea1fcce14b3c36ba370bf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_amd64.deb
      Size/MD5:   555760 8d4672ed29e7dbe60d9a4f473158aa61

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_i386.deb
      Size/MD5:   546362 0cbed65c2404592f5e1bd055574fe53b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-8ubuntu2.3_powerpc.deb
      Size/MD5:   556200 3927a92d2deba7534c5a67bbdecc77fc

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2.diff.gz
      Size/MD5:   131595 f8ee0c74b53ffb107a8f9b8d9ded75d1
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2.dsc
      Size/MD5:      830 64e499d812a87ad755bcd32b352f2b00
    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz
      Size/MD5:  1257376 9956b30139edaa4f5f77c4d0dbd80225

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmail-ssl_6.2.5-13ubuntu3.2_all.deb
      Size/MD5:    42940 7a6644925b26ac82e571c8a191df1d3e
    http://security.ubuntu.com/ubuntu/pool/universe/f/fetchmail/fetchmailconf_6.2.5-13ubuntu3.2_all.deb
      Size/MD5:   102024 36fe4801b83466c7b4aad98fd64505b7

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_amd64.deb
      Size/MD5:   299512 5b3da4915bcff58587ba8d7f8262a09c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_i386.deb
      Size/MD5:   286284 bd2eb14e845caaec8f157c5591e7ee5e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/f/fetchmail/fetchmail_6.2.5-13ubuntu3.2_powerpc.deb
      Size/MD5:   297134 9b60cdcc559a884589943c136359b336
    

- 漏洞信息

21906
Fetchmail Multidrop Mode Headerless Message Remote DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Unknown

- 漏洞描述

Fetchmail contains a flaw that may allow a remote denial of service. The issue is triggered when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers, and will result in a loss of availability for the application.

- 时间线

2005-12-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.2.5.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Fetchmail Missing Email Header Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 15987
Yes No
2005-12-20 12:00:00 2007-03-22 04:03:00
Daniel Drake reported this issue.

- 受影响的程序版本

Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 10.0.0 x64
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
TransSoft Broker FTP Server 8.0
SuSE SUSE Linux Enterprise Server 9
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10.0
SuSE Linux 9.3
SuSE Linux 9.2
SuSE Linux 9.1
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0 SP6
S.u.S.E. Linux 10.1
S.u.S.E. Linux 10.0
rPath rPath Linux 1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Eric Raymond Fetchmail 6.3 .0
Eric Raymond Fetchmail 6.2.5 .4
Eric Raymond Fetchmail 6.2.5 .2
Eric Raymond Fetchmail 6.2.5 .1
Eric Raymond Fetchmail 6.2.5
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Cosmicperl Directory Pro 10.0.3
Conectiva Linux 10.0
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
Eric Raymond Fetchmail 6.3.1 -rc1
Eric Raymond Fetchmail 6.3.1
Eric Raymond Fetchmail 6.2.6 -pre7
Eric Raymond Fetchmail 6.2.5 .5
Eric Raymond Fetchmail 6.2.5 .2

- 不受影响的程序版本

Eric Raymond Fetchmail 6.3.1 -rc1
Eric Raymond Fetchmail 6.3.1
Eric Raymond Fetchmail 6.2.6 -pre7
Eric Raymond Fetchmail 6.2.5 .5
Eric Raymond Fetchmail 6.2.5 .2

- 漏洞讨论

Fetchmail is affected by a remote denial-of-service vulnerability. This issue is due to the application's failure to handle unexpected input. This issue occurs only when Fetchmail is configured in 'multidrop' mode.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released an advisory to address this issue. Please see the advisory for details on obtaining and applying fixes.


Turbolinux Turbolinux 10 F...

Turbolinux Turbolinux FUJI

TurboLinux Multimedia

Turbolinux Appliance Server 1.0 Workgroup Edition

Turbolinux Turbolinux Server 10.0

Turbolinux Turbolinux Desktop 10.0

Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.3.9

Apple Mac OS X 10.4.7

Eric Raymond Fetchmail 6.2.5 .4

Eric Raymond Fetchmail 6.2.5 .1

Eric Raymond Fetchmail 6.3 .0

TransSoft Broker FTP Server 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站