SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Fetchmail Vendors:   fetchmail.berlios.de
Fetchmail 'fetchmailconf' May Disclose Passwords to Local Users
SecurityTracker Alert ID:  1015114
SecurityTracker URL:  http://securitytracker.com/id/1015114
CVE Reference:   CVE-2005-3088   (Links to External Site)
Date:  Oct 27 2005
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): fetchmail 6.2.0, 6.2.5, 6.2.5.2; fetchmailconf 1.43, 1.43.1
Description:   A vulnerability was reported in Fetchmail in the fetchmailconf utility. A local user may be able to view passwords.

The fetchmailconf program opens the run control file, writes the fetchmail configuration to the file, and then changes the security permissions to mode 0600 (owner read and write). A local user may be able to access the file before the restrictive security permissions are applied to view the file contents.

The file contents may include passwords.

Impact:   A local user may be able to view passwords.
Solution:   The vendor has issued a fix.

For users of fetchmail-6.2.5.2:

Download fetchmailconf-1.43.2.gz from fetchmail's project site
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
gunzip it, then replace your existing fetchmailconf with it.

For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:

update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
<https://developer.berlios.de/project/showfiles.php?group_id=1824>

Vendor URL:  fetchmail.berlios.de/fetchmail-SA-2005-02.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 27 2005 (Red Hat Issues Fix) Fetchmail 'fetchmailconf' May Disclose Passwords to Local Users
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC