ID CVE-2007-4565
Summary sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
References
Vulnerable Configurations
  • Fetchmail 4.5.1
    cpe:2.3:a:fetchmail:fetchmail:4.5.1
  • Fetchmail 4.5.2
    cpe:2.3:a:fetchmail:fetchmail:4.5.2
  • Fetchmail 4.5.3
    cpe:2.3:a:fetchmail:fetchmail:4.5.3
  • Fetchmail 4.5.4
    cpe:2.3:a:fetchmail:fetchmail:4.5.4
  • Fetchmail 4.5.5
    cpe:2.3:a:fetchmail:fetchmail:4.5.5
  • Fetchmail 4.5.6
    cpe:2.3:a:fetchmail:fetchmail:4.5.6
  • Fetchmail 4.5.7
    cpe:2.3:a:fetchmail:fetchmail:4.5.7
  • Fetchmail 4.5.8
    cpe:2.3:a:fetchmail:fetchmail:4.5.8
  • Fetchmail 4.6.0
    cpe:2.3:a:fetchmail:fetchmail:4.6.0
  • Fetchmail 4.6.1
    cpe:2.3:a:fetchmail:fetchmail:4.6.1
  • Fetchmail 4.6.2
    cpe:2.3:a:fetchmail:fetchmail:4.6.2
  • Fetchmail 4.6.3
    cpe:2.3:a:fetchmail:fetchmail:4.6.3
  • Fetchmail 4.6.4
    cpe:2.3:a:fetchmail:fetchmail:4.6.4
  • Fetchmail 4.6.5
    cpe:2.3:a:fetchmail:fetchmail:4.6.5
  • Fetchmail 4.6.6
    cpe:2.3:a:fetchmail:fetchmail:4.6.6
  • Fetchmail 4.6.7
    cpe:2.3:a:fetchmail:fetchmail:4.6.7
  • Fetchmail 4.6.8
    cpe:2.3:a:fetchmail:fetchmail:4.6.8
  • Fetchmail 4.6.9
    cpe:2.3:a:fetchmail:fetchmail:4.6.9
  • Fetchmail 4.7.0
    cpe:2.3:a:fetchmail:fetchmail:4.7.0
  • Fetchmail 4.7.1
    cpe:2.3:a:fetchmail:fetchmail:4.7.1
  • Fetchmail 4.7.2
    cpe:2.3:a:fetchmail:fetchmail:4.7.2
  • Fetchmail 4.7.3
    cpe:2.3:a:fetchmail:fetchmail:4.7.3
  • Fetchmail 4.7.4
    cpe:2.3:a:fetchmail:fetchmail:4.7.4
  • Fetchmail 4.7.5
    cpe:2.3:a:fetchmail:fetchmail:4.7.5
  • Fetchmail 4.7.6
    cpe:2.3:a:fetchmail:fetchmail:4.7.6
  • Fetchmail 4.7.7
    cpe:2.3:a:fetchmail:fetchmail:4.7.7
  • Fetchmail 5.0.0
    cpe:2.3:a:fetchmail:fetchmail:5.0.0
  • Fetchmail 5.0.1
    cpe:2.3:a:fetchmail:fetchmail:5.0.1
  • Fetchmail 5.0.2
    cpe:2.3:a:fetchmail:fetchmail:5.0.2
  • Fetchmail 5.0.3
    cpe:2.3:a:fetchmail:fetchmail:5.0.3
  • Fetchmail 5.0.4
    cpe:2.3:a:fetchmail:fetchmail:5.0.4
  • Fetchmail 5.0.5
    cpe:2.3:a:fetchmail:fetchmail:5.0.5
  • Fetchmail 5.0.6
    cpe:2.3:a:fetchmail:fetchmail:5.0.6
  • Fetchmail 5.0.7
    cpe:2.3:a:fetchmail:fetchmail:5.0.7
  • Fetchmail 5.0.8
    cpe:2.3:a:fetchmail:fetchmail:5.0.8
  • Fetchmail 5.1.0
    cpe:2.3:a:fetchmail:fetchmail:5.1.0
  • Fetchmail 5.1.4
    cpe:2.3:a:fetchmail:fetchmail:5.1.4
  • Fetchmail 5.2.0
    cpe:2.3:a:fetchmail:fetchmail:5.2.0
  • Fetchmail 5.2.1
    cpe:2.3:a:fetchmail:fetchmail:5.2.1
  • Fetchmail 5.2.3
    cpe:2.3:a:fetchmail:fetchmail:5.2.3
  • Fetchmail 5.2.4
    cpe:2.3:a:fetchmail:fetchmail:5.2.4
  • Fetchmail 5.2.7
    cpe:2.3:a:fetchmail:fetchmail:5.2.7
  • Fetchmail 5.2.8
    cpe:2.3:a:fetchmail:fetchmail:5.2.8
  • Fetchmail 5.3.0
    cpe:2.3:a:fetchmail:fetchmail:5.3.0
  • Fetchmail 5.3.1
    cpe:2.3:a:fetchmail:fetchmail:5.3.1
  • Fetchmail 5.3.3
    cpe:2.3:a:fetchmail:fetchmail:5.3.3
  • Fetchmail 5.3.8
    cpe:2.3:a:fetchmail:fetchmail:5.3.8
  • Fetchmail 5.4.0
    cpe:2.3:a:fetchmail:fetchmail:5.4.0
  • Fetchmail 5.4.3
    cpe:2.3:a:fetchmail:fetchmail:5.4.3
  • Fetchmail 5.4.4
    cpe:2.3:a:fetchmail:fetchmail:5.4.4
  • Fetchmail 5.4.5
    cpe:2.3:a:fetchmail:fetchmail:5.4.5
  • Fetchmail 5.5.0
    cpe:2.3:a:fetchmail:fetchmail:5.5.0
  • Fetchmail 5.5.2
    cpe:2.3:a:fetchmail:fetchmail:5.5.2
  • Fetchmail 5.5.3
    cpe:2.3:a:fetchmail:fetchmail:5.5.3
  • Fetchmail 5.5.5
    cpe:2.3:a:fetchmail:fetchmail:5.5.5
  • Fetchmail 5.5.6
    cpe:2.3:a:fetchmail:fetchmail:5.5.6
  • Fetchmail 5.6.0
    cpe:2.3:a:fetchmail:fetchmail:5.6.0
  • Fetchmail 5.7.0
    cpe:2.3:a:fetchmail:fetchmail:5.7.0
  • Fetchmail 5.7.2
    cpe:2.3:a:fetchmail:fetchmail:5.7.2
  • Fetchmail 5.7.4
    cpe:2.3:a:fetchmail:fetchmail:5.7.4
  • Fetchmail 5.8
    cpe:2.3:a:fetchmail:fetchmail:5.8
  • Fetchmail 5.8.1
    cpe:2.3:a:fetchmail:fetchmail:5.8.1
  • Fetchmail 5.8.2
    cpe:2.3:a:fetchmail:fetchmail:5.8.2
  • Fetchmail 5.8.3
    cpe:2.3:a:fetchmail:fetchmail:5.8.3
  • Fetchmail 5.8.4
    cpe:2.3:a:fetchmail:fetchmail:5.8.4
  • Fetchmail 5.8.5
    cpe:2.3:a:fetchmail:fetchmail:5.8.5
  • Fetchmail 5.8.6
    cpe:2.3:a:fetchmail:fetchmail:5.8.6
  • Fetchmail 5.8.11
    cpe:2.3:a:fetchmail:fetchmail:5.8.11
  • Fetchmail 5.8.13
    cpe:2.3:a:fetchmail:fetchmail:5.8.13
  • Fetchmail 5.8.14
    cpe:2.3:a:fetchmail:fetchmail:5.8.14
  • Fetchmail 5.8.17
    cpe:2.3:a:fetchmail:fetchmail:5.8.17
  • Fetchmail 5.9.0
    cpe:2.3:a:fetchmail:fetchmail:5.9.0
  • Fetchmail 5.9.4
    cpe:2.3:a:fetchmail:fetchmail:5.9.4
  • Fetchmail 5.9.5
    cpe:2.3:a:fetchmail:fetchmail:5.9.5
  • Fetchmail 5.9.8
    cpe:2.3:a:fetchmail:fetchmail:5.9.8
  • Fetchmail 5.9.10
    cpe:2.3:a:fetchmail:fetchmail:5.9.10
  • Fetchmail 5.9.11
    cpe:2.3:a:fetchmail:fetchmail:5.9.11
  • Fetchmail 5.9.13
    cpe:2.3:a:fetchmail:fetchmail:5.9.13
  • Fetchmail 6.0.0
    cpe:2.3:a:fetchmail:fetchmail:6.0.0
  • Fetchmail 6.1.0
    cpe:2.3:a:fetchmail:fetchmail:6.1.0
  • Fetchmail 6.1.3
    cpe:2.3:a:fetchmail:fetchmail:6.1.3
  • Fetchmail 6.2.0
    cpe:2.3:a:fetchmail:fetchmail:6.2.0
  • Fetchmail 6.2.1
    cpe:2.3:a:fetchmail:fetchmail:6.2.1
  • Fetchmail 6.2.2
    cpe:2.3:a:fetchmail:fetchmail:6.2.2
  • Fetchmail 6.2.3
    cpe:2.3:a:fetchmail:fetchmail:6.2.3
  • Fetchmail 6.2.4
    cpe:2.3:a:fetchmail:fetchmail:6.2.4
  • Fetchmail 6.2.5
    cpe:2.3:a:fetchmail:fetchmail:6.2.5
  • Fetchmail 6.2.5.1
    cpe:2.3:a:fetchmail:fetchmail:6.2.5.1
  • Fetchmail 6.2.5.2
    cpe:2.3:a:fetchmail:fetchmail:6.2.5.2
  • Fetchmail 6.2.5.4
    cpe:2.3:a:fetchmail:fetchmail:6.2.5.4
  • Fetchmail 6.2.6 pre4
    cpe:2.3:a:fetchmail:fetchmail:6.2.6:pre4
  • Fetchmail 6.2.6 pre8
    cpe:2.3:a:fetchmail:fetchmail:6.2.6:pre8
  • Fetchmail 6.2.6 pre9
    cpe:2.3:a:fetchmail:fetchmail:6.2.6:pre9
  • Fetchmail 6.2.9 release candidate 10
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc10
  • Fetchmail 6.2.9 release candidate 3
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc3
  • Fetchmail 6.2.9 release candidate 4
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc4
  • Fetchmail 6.2.9 release candidate 5
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc5
  • Fetchmail 6.2.9 release candidate 7
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc7
  • Fetchmail 6.2.9 release candidate 8
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc8
  • Fetchmail 6.2.9 release candidate 9
    cpe:2.3:a:fetchmail:fetchmail:6.2.9:rc9
  • Fetchmail 6.3.0
    cpe:2.3:a:fetchmail:fetchmail:6.3.0
  • Fetchmail 6.3.1
    cpe:2.3:a:fetchmail:fetchmail:6.3.1
  • Fetchmail 6.3.2
    cpe:2.3:a:fetchmail:fetchmail:6.3.2
  • Fetchmail 6.3.3
    cpe:2.3:a:fetchmail:fetchmail:6.3.3
  • Fetchmail 6.3.4
    cpe:2.3:a:fetchmail:fetchmail:6.3.4
  • Fetchmail 6.3.5
    cpe:2.3:a:fetchmail:fetchmail:6.3.5
  • Fetchmail 6.3.6
    cpe:2.3:a:fetchmail:fetchmail:6.3.6
  • Fetchmail 6.3.6 release candidate 1
    cpe:2.3:a:fetchmail:fetchmail:6.3.6:rc1
  • Fetchmail 6.3.6 release candidate 2
    cpe:2.3:a:fetchmail:fetchmail:6.3.6:rc2
  • Fetchmail 6.3.6 release candidate 3
    cpe:2.3:a:fetchmail:fetchmail:6.3.6:rc3
  • Fetchmail 6.3.6 release candidate 4
    cpe:2.3:a:fetchmail:fetchmail:6.3.6:rc4
  • Fetchmail 6.3.6 release candidate 5
    cpe:2.3:a:fetchmail:fetchmail:6.3.6:rc5
  • Fetchmail 6.3.7
    cpe:2.3:a:fetchmail:fetchmail:6.3.7
  • Fetchmail 6.3.8
    cpe:2.3:a:fetchmail:fetchmail:6.3.8
  • Fetchmail 6.3.9 release candidate 2
    cpe:2.3:a:fetchmail:fetchmail:6.3.9:rc2
CVSS
Base: 5.0 (as of 28-08-2007 - 13:33)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1427.NASL
    description An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections. It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666) A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565) A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711) Note: when using SSL-enabled services, it is recommended that the fetchmail '--sslcertck' option be used to enforce strict SSL certificate checking. All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 40901
    published 2009-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40901
    title RHEL 3 / 4 / 5 : fetchmail (RHSA-2009:1427)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_45500F74594711DC87C1000E2E5785AD.NASL
    description Matthias Andree reports : fetchmail will generate warning messages in certain circumstances (for instance, when leaving oversized messages on the server or login to the upstream fails) and send them to the local postmaster or the user running it. If this warning message is then refused by the SMTP listener that fetchmail is forwarding the message to, fetchmail crashes and does not collect further messages until it is restarted.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 25981
    published 2007-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25981
    title FreeBSD : fetchmail -- denial of service on reject of local warning message (45500f74-5947-11dc-87c1-000e2e5785ad)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FETCHMAIL-4462.NASL
    description This update fixes a remote denial-of-service attack. (CVE-2007-4565)
    last seen 2018-09-01
    modified 2012-05-17
    plugin id 29426
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29426
    title SuSE 10 Security Update : fetchmail (ZYPP Patch Number 4462)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1427.NASL
    description An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections. It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666) A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565) A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711) Note: when using SSL-enabled services, it is recommended that the fetchmail '--sslcertck' option be used to enforce strict SSL certificate checking. All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 40893
    published 2009-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40893
    title CentOS 3 / 4 / 5 : fetchmail (CESA-2009:1427)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2009-001.NASL
    description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-001 applied. This security update contains fixes for the following products : - AFP Server - Apple Pixlet Video - CarbonCore - CFNetwork - Certificate Assistant - ClamAV - CoreText - CUPS - DS Tools - fetchmail - Folder Manager - FSEvents - Network Time - perl - Printing - python - Remote Apple Events - Safari RSS - servermgrd - SMB - SquirrelMail - X11 - XTerm
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 35684
    published 2009-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=35684
    title Mac OS X Multiple Vulnerabilities (Security Update 2009-001)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_11814.NASL
    description This update fixes a remote denial-of-service attack. (CVE-2007-4565)
    last seen 2018-09-01
    modified 2012-04-23
    plugin id 41154
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41154
    title SuSE9 Security Update : fetchmail (YOU Patch Number 11814)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090908_FETCHMAIL_ON_SL3_X.NASL
    description CVE-2007-4565 Fetchmail NULL pointer dereference CVE-2008-2711 fetchmail: Crash in large log messages in verbose mode CVE-2009-2666 fetchmail: SSL null terminator bypass It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666) A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565) A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711) If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 60662
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60662
    title Scientific Linux Security Update : fetchmail on SL3.x, SL4.x, SL5.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-1983.NASL
    description - Mon Sep 3 2007 Vitezslav Crhonek - 6.3.7-2 - Fix license - Fix fetchmail NULL pointer dereference (CVE-2007-4565) Resolves: #260861 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-21
    plugin id 27742
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27742
    title Fedora 7 : fetchmail-6.3.7-2.fc7 (2007-1983)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FETCHMAIL-4490.NASL
    description This update fixes a remote denial-of-service attack. (CVE-2007-4565)
    last seen 2018-09-02
    modified 2014-06-13
    plugin id 27572
    published 2007-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27572
    title openSUSE 10 Security Update : fetchmail (fetchmail-4490)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1377.NASL
    description Matthias Andree discovered that fetchmail, an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder, can under certain circumstances attempt to dereference a NULL pointer and crash.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 26080
    published 2007-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26080
    title Debian DSA-1377-2 : fetchmail - NULL pointer dereference
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1427.NASL
    description From Red Hat Security Advisory 2009:1427 : An updated fetchmail package that fixes multiple security issues is now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links, such as SLIP and PPP connections. It was discovered that fetchmail is affected by the previously published 'null prefix attack', caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse fetchmail into accepting it by mistake. (CVE-2009-2666) A flaw was found in the way fetchmail handles rejections from a remote SMTP server when sending warning mail to the postmaster. If fetchmail sent a warning mail to the postmaster of an SMTP server and that SMTP server rejected it, fetchmail could crash. (CVE-2007-4565) A flaw was found in fetchmail. When fetchmail is run in double verbose mode ('-v -v'), it could crash upon receiving certain, malformed mail messages with long headers. A remote attacker could use this flaw to cause a denial of service if fetchmail was also running in daemon mode ('-d'). (CVE-2008-2711) Note: when using SSL-enabled services, it is recommended that the fetchmail '--sslcertck' option be used to enforce strict SSL certificate checking. All fetchmail users should upgrade to this updated package, which contains backported patches to correct these issues. If fetchmail is running in daemon mode, it must be restarted for this update to take effect (use the 'fetchmail --quit' command to stop the fetchmail process).
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 67920
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67920
    title Oracle Linux 3 / 4 / 5 : fetchmail (ELSA-2009-1427)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-179.NASL
    description A vulnerability in fetchmail was found where it could crash when attempting to deliver an internal warning or error message through an untrusted or compromised SMTP server, leading to a denial of service. Updated packages have been patched to prevent these issues.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 26046
    published 2007-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=26046
    title Mandrake Linux Security Advisory : fetchmail (MDKSA-2007:179)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-520-1.NASL
    description Gaetan Leurent discovered a vulnerability in the APOP protocol based on MD5 collisions. As fetchmail supports the APOP protocol, this vulnerability can be used by attackers to discover a portion of the APOP user's authentication credentials. (CVE-2007-1558) Earl Chew discovered that fetchmail can be made to de-reference a NULL pointer when contacting SMTP servers. This vulnerability can be used by attackers who control the SMTP server to crash fetchmail and cause a denial of service. (CVE-2007-4565). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 28125
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28125
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : fetchmail vulnerabilities (USN-520-1)
oval via4
accepted 2013-04-29T04:06:27.554-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
family unix
id oval:org.mitre.oval:def:10528
status accepted
submitted 2010-07-09T03:56:16-04:00
title sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
version 24
redhat via4
rpms
  • fetchmail-0:6.2.0-3.el3.5
  • fetchmail-0:6.2.5-6.0.1.el4_8.1
  • fetchmail-0:6.3.6-1.1.el5_3.1
refmap via4
apple APPLE-SA-2009-02-12
bid 25495
bugtraq
  • 20070907 FLEA-2007-0053-1 fetchmail
  • 20080617 fetchmail security announcement fetchmail-SA-2007-02 (CVE-2007-4565)
confirm
debian DSA-1377
mandriva MDKSA-2007:179
osvdb 45833
sectrack 1018627
secunia
  • 27399
  • 33937
sreason 3074
suse SUSE-SR:2007:022
trustix 2007-0028
ubuntu USN-520-1
vupen
  • ADV-2007-3032
  • ADV-2009-0422
xf fetchmail-warning-dos(36385)
statements via4
contributor Mark J Cox
lastmodified 2009-09-09
organization Red Hat
statement This issue was addressed in fetchmail packages as shipped in Red Hat Enterprise Linux 3, 4, and 5 via: https://rhn.redhat.com/errata/RHSA-2009-1427.html
Last major update 07-03-2011 - 21:58
Published 27-08-2007 - 21:17
Last modified 15-10-2018 - 17:36
Back to Top