copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2310 - [Win][UNIX/Linux][Debian] getmail4: Multiple vulnerabilities

Date: 08 December 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2310
                         getmail4 security update
                              8 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           getmail4
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
                   Access Confidential Data       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-7275 CVE-2014-7274 CVE-2014-7273

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3091

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running getmail4 check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3091-1                   security@debian.org
http://www.debian.org/security/                         Giuseppe Iuculano
December 07, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : getmail4
CVE ID         : CVE-2014-7273 CVE-2014-7274 CVE-2014-7275
Debian Bug     : 766670

Several vulnerabilities have been discovered in getmail4, a mail 
retriever with support for POP3, IMAP4 and SDPS, that could allow 
man-in-the-middle attacks.

CVE-2014-7273

    The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0
    does not verify X.509 certificates from SSL servers, which allows
    man-in-the-middle attackers to spoof IMAP servers and obtain
    sensitive information via a crafted certificate.

CVE-2014-7274

    The IMAP-over-SSL implementation in getmail 4.44.0 does not verify
    that the server hostname matches a domain name in the subject's
    Common Name (CN) field of the X.509 certificate, which allows
    man-in-the-middle attackers to spoof IMAP servers and obtain
    sensitive information via a crafted certificate from a recognized
    Certification Authority.

CVE-2014-7275

    The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0
    does not verify X.509 certificates from SSL servers, which allows
    man-in-the-middle attackers to spoof POP3 servers and obtain
    sensitive information via a crafted certificate.

For the stable distribution (wheezy), these problems have been fixed in
version 4.46.0-1~deb7u1.

For the upcoming stable distribution (jessie), these problems have been
fixed in version 4.46.0-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.46.0-1.

We recommend that you upgrade your getmail4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUhHzhAAoJEI9hzo2UfbETr1QP/isuRRWrrQPc2NiG7uLMDHwZ
7BRv//sLKpydFHLBrv6HSNo+o/6ijI8XI8JSaq4li9zZsXp6a0uiGOkm5zRXGAaA
kdFgGTeLYXhdECFeVu2ITobKWc1gx0Eq0prsf1nFfOWnNsOqfeq6xzj0zlHszWsZ
TN3eanmN47zVJ5cdEjlMick3LyGzkFFju+s5/Rlck8UkplBXM0+gpFbyaTJzpFuc
iFHPHSmPGADeLKre4DuZXSVsvDvfFJWYyGpVB7APmwMqDao6usYzE+ML98Z6aoj8
YeawH67YypWyeccLvi1bZvb+9hr8iaReqRpFSADVVo/m7RcPrmAnxSgLQHItS8AT
E7BwM4KCXbRyj7pTZfBN4YTwhCqoXKZCojERg+9PuM068tJe+GzcNFfvl0Ygli7Y
m6u7DxgeMs9YEfwqbZzIbtqK0w4uVdt/kGpYw8KG/FeZrYjXu602wWrUfVQd5mDH
XB0Kt56sH7KTUcjdQB2QNjNY4NjIR3k4CWUQOZ/2xSKZUWiYLqTfNO1uSkLhLWv/
VulZZU/iIdlz2X1MRGZ8ohH271No4Q9Bz+/6H6qIXJpyVax3LDewLRg5aWliemyo
jU69x4uwZIarB+LhuRVnAONAnRybQQGJH1bXlDyeQP9++QvP9V0MEYoONujLPMUE
CPMvXGkJd5PSFn/iVQrc
=OzmR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVITzGRLndAQH1ShLAQJUSg/8C5Ym0otD+CYoIZ96gIilsx0GiJqH/nKB
8FEp78AHgkaEne6/kEsvLsWt81cYC7JvrxE2kdagHu0NxuNt5J+cHunNd3Nx5kB8
qOOb9VYCoZx9wn8ebn1rgNp9vsVoX7AzWSu7C5qmUV9IutshksdBcWVGfkLO4D8i
F38FLrOIV+VQReg01p6A8GrdCp9iIKxtOWcC5JGe26TL0AKvXeJ8vxFzCck1C4Xo
Z4HbxgOCc33wipk+H+zZqgNhDg7HYoJANTqeOGQ5UhTwTv2oKJoNrk279aEwMdyf
V30L12Ki8Woz7lOTYKE1/bwydqs+beaqXJnf4jNNSa3vkijoJWVqbhDjidl9IRnl
fPU8/tJ9bekiIOzz/Pig5KpqHrKD194TkEVe9QvbBJGQ5DCokmYTzkR7ZgQ21Gb6
b7X9pphkP7zJWY5X2B+c6qdOAstVRCqIJbcnokztut5hOx2pK/GhT1991Td9G8mT
7o4V/QaxgbL/w640Qg6rPHqvtaM5L9lDJ1YkQmDnfLGtFHbbBs/UnbYBhPZuyLnI
D9iesiStjyoZc7c0Nb4Bb6vtRSvMwYMi0/QePJx5HdfCNUYar3L4nP3CQQloKJ85
73q4iDzoNlOlusN8o3o4tHrjzt1HApvBtOgtc7IvQk3Q3HMuQkXZkPnBTzWfEvv8
LWRSgpxNE1c=
=XEh/
-----END PGP SIGNATURE-----