Fetchmail 'fetchmailconf' May Disclose Passwords to Local Users
|
|
SecurityTracker Alert ID: 1015114
|
|
SecurityTracker URL: http://securitytracker.com/id?1015114
|
|
CVE Reference: CVE-2005-3088
(Links to External Site)
|
Date: Oct 27 2005
|
Impact: Disclosure of authentication information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): fetchmail 6.2.0, 6.2.5, 6.2.5.2; fetchmailconf 1.43, 1.43.1
|
Description: A vulnerability was reported in Fetchmail in the fetchmailconf utility. A local user may be able to view passwords.
The fetchmailconf program opens the run control file, writes the fetchmail configuration to the file, and then changes the security
permissions to mode 0600 (owner read and write). A local user may be able to access the file before the restrictive security permissions
are applied to view the file contents.
The file contents may include passwords.
|
Impact: A local user may be able to view passwords.
|
Solution: The vendor has issued a fix.
For users of fetchmail-6.2.5.2:
Download fetchmailconf-1.43.2.gz from fetchmail's project site
<http://developer.berlios.de/project/sho
wfiles.php?group_id=1824&release_id=6617>,
gunzip it, then replace your existing fetchmailconf with it.
For users of fetchmail-6.2.6*
or 6.2.9* before 6.2.9-rc6:
update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
<https://developer.berlios.de/project/showfiles.php?group_id=1824>
|
Vendor URL: fetchmail.berlios.de/fetchmail-SA-2005-02.txt (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
