Mandrake Linux Security Advisory : fetchmail (MDKSA-2005:209)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

Thomas Wolff and Miloslav Trmac discovered a race condition in the
fetchmailconf program. fetchmailconf would create the initial output
configuration file with insecure permissions and only after writing
would it change permissions to be more restrictive. During that time,
passwords and other data could be exposed to other users on the system
unless the user used a more restrictive umask setting.

As well, the Mandriva Linux 2006 packages did not contain the patch
that corrected the issues fixed in MDKSA-2005:126, namely a buffer
overflow in fetchmail's POP3 client (CVE-2005-2355).

The updated packages have been patched to address this issue, and the
Mandriva 2006 packages have also been patched to correct
CVE-2005-2355.

Solution :

Update the affected fetchmail, fetchmail-daemon and / or fetchmailconf
packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 20442 (mandrake_MDKSA-2005-209.nasl)

Bugtraq ID:

CVE ID: CVE-2005-2335
CVE-2005-3088

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now