From supinfo@caldera.com Tue Jun 26 17:44:41 2001 From: Support Info To: announce@lists.caldera.com, bugtraq@securityfocus.com, linux-security@redhat.com, linuxlist@securityportal.com Date: Tue, 26 Jun 2001 11:29:29 -0600 Subject: Security Update: [CSSA-2001-022.1] buffer overflow in fetchmail -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: buffer overflow in fetchmail Advisory number: CSSA-2001-022.1 Issue date: 2001 June, 22 Cross reference: CSSA-2001-022.0 ______________________________________________________________________________ 1. Problem Description In previous versions of fetchmail, there were buffer overflows when handling mail messages with very long header fields. This hole could theoretically be exploited remotely by sending messages with such headers. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 All packages previous to fetchmail-5.0.4-1 OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder fetchmail-5.0.4-1 OpenLinux eDesktop 2.4 All packages previous to fetchmail-5.2.0-2 OpenLinux 3.1 Server All packages previous to fetchmail-5.4.0-5a OpenLinux 3.1 Workstation All packages previous to fetchmail-5.4.0-5a 3. Solution Workaround none The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification 62bbe7566a6eea7df05542c41f8024a9 RPMS/fetchmail-5.0.4-1.i386.rpm 05f3db8ec0bb7178d123af4e9761eee5 SRPMS/fetchmail-5.0.4-1.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv fetchmail*.i386.rpm 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification bf8ed2912bdd5a0c6f5e5d50db552c29 RPMS/fetchmail-5.0.4-1.i386.rpm 05f3db8ec0bb7178d123af4e9761eee5 SRPMS/fetchmail-5.0.4-1.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh fetchmail*i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 2d278844840df47146795ae11e638493 RPMS/fetchmail-5.2.0-2.i386.rpm 85c4c3f805db47041681665f8beb3986 SRPMS/fetchmail-5.2.0-2.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh fetchmail*i386.rpm 7. OpenLinux 3.1 Server 7.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS 7.2 Verification d869c5bdc83bd5bd28624def44fde168 RPMS/fetchmail-5.4.0-5a.i386.rpm 6ee33ac553e4e68e8193bf3c858d1411 RPMS/fetchmailconf-5.4.0-5a.i386.rpm f93919dc140aad6f1b4e6c256d1c81e0 SRPMS/fetchmail-5.4.0-5a.src.rpm 7.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh fetchmail*i386.rpm or start kcupdate, the Caldera OpenLinux Update Manager 8. OpenLinux 3.1 Workstation 8.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS 8.2 Verification d869c5bdc83bd5bd28624def44fde168 RPMS/fetchmail-5.4.0-5a.i386.rpm 6ee33ac553e4e68e8193bf3c858d1411 RPMS/fetchmailconf-5.4.0-5a.i386.rpm f93919dc140aad6f1b4e6c256d1c81e0 SRPMS/fetchmail-5.4.0-5a.src.rpm 8.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh fetchmail*i386.rpm or start kcupdate, the Caldera OpenLinux Update Manager 9. References This and other Caldera security resources are located at: http://www.caldera.com/support/security/index.html This security fix closes Caldera's internal Problem Report 10115. 10.Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7MzFs18sy83A/qfwRAvGsAJ0SfeyUPIWZSyl9Jw+xqCmtZsAsPwCgo0JD 0iSgUW97xFONiWD85WjANto= =cTu1 -----END PGP SIGNATURE----- ^@