CVE-2009-2666

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam™
Beyond Security®

SecuriTeam™ Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

	SecuriTeam™ in Your Inbox

	E-mail this CVE-2009-2666 to a friend

New vulnerability?
New tool?
Tell us

Credit:
The information has been provided by Matthias Andree.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Check for CVE-2009-2666

Vulnerability Assessment and Management.
Automated Pen Testing for 50 to 50,000 nodes
beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* fetchmail version 6.3.10 and prior

Immune Systems:
* fetchmail release 6.3.11

Note that fetchmail should always be forced to use strict certificate validation through either of these option combinations:
--sslcertck --ssl --sslproto ssl3 (for service on SSL-wrapped ports)
or
--sslcertck --sslproto tls1 (for STARTTLS-based services)
(These are for the command line, in the rcfile, you will need to omit the respective leading --).

The default is relaxed checking for compatibility with historic versions.

There are two alternatives, either of them by itself is sufficient:
a. Apply the patch found in section B of this announcement to fetchmail 6.3.10, recompile and reinstall it.
b. Install fetchmail 6.3.11 or newer after it will have become available. The fetchmail source code is always available from
.

Workaround
Obtain the server fingerprints through a separate secure channel and configure them with the sslfingerprint option, and enable the sslcertck option.

CVE Information:
CVE-2009-2666

Disclosure Timeline:
2009-08-05 0.1 first draft (visible in SVN)
2009-08-06 1.0 first release

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus