Info

Disclosure

Oct 21, 2005

Discovery

Unknown

Dates

Exploit

Oct 21, 2005

Solution

Unknown

Description

Fetchmail contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to plain text passwords when the fetchmailconf utility is used to create a configuration. The utility writes the configuration file before restricting access to other users, which may lead to a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to version 6.2.5.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Fetchmail	Fetchmail	6.2.0
		6.2.5
		6.2.5.2

References

Security Tracker: 1015114
Secunia Advisory ID: 17293 17349 17446 17491 17495 17631 18895 21253
CVE ID: 2005-3088 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0028.html
Vendor Specific Advisory URL: http://docs.info.apple.com/article.html?artnum=304063
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:209
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware- ......
http://www.ubuntu.com/usn/usn-215-1
Other Advisory URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
http://www.debian.org/security/2005/dsa-900
http://www.gentoo.org/security/en/glsa/glsa-200511-06.xml
RedHat RHSA: RHSA-2005:823

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218