Debian DSA-1852-1 : fetchmail - insufficient input validation
Medium Nessus Plugin ID 44717
SynopsisThe remote Debian host is missing a security-related update.
DescriptionIt was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the 'Null Prefix Attacks Against SSL/TLS Certificates' recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate validation through either these option combinations: sslcertck ssl sslproto ssl3 (for service on SSL-wrapped ports) or sslcertck sslproto tls1 (for STARTTLS-based services)
SolutionUpgrade the fetchmail packages.
For the oldstable distribution (etch), this problem has been fixed in version 6.3.6-1etch2.
For the stable distribution (lenny), this problem has been fixed in version 6.3.9~rc2-4+lenny1.