Fetchmail Multiple Password Information Disclosure Vulnerabilities
BID:21903
Info
Fetchmail Multiple Password Information Disclosure Vulnerabilities
| Bugtraq ID: | 21903 |
| Class: | Design Error |
| CVE: |
CVE-2006-5867 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 06 2007 12:00AM |
| Updated: | Mar 19 2015 08:33AM |
| Credit: | Matthias Andree reported these issues. |
| Vulnerable: |
Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux 9.3 SuSE Linux 9.2 SuSE Linux 9.1 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux 11.0 SGI ProPack 3.0 SP6 S.u.S.E. Linux 10.1 S.u.S.E. Linux 10.0 rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux WS 2.1 IA64 RedHat Enterprise Linux WS 2.1 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Enterprise Linux ES 2.1 IA64 RedHat Enterprise Linux ES 2.1 RedHat Desktop 4.0 RedHat Desktop 3.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Fedora Core6 Red Hat Fedora Core5 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 OpenPKG OpenPKG Stable OpenPKG OpenPKG E1.0-Solid OpenPKG OpenPKG Current OpenPKG OpenPKG 2-Stable-20061018 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux Eric Raymond Fetchmail 6.3.5 Eric Raymond Fetchmail 6.3.4 Eric Raymond Fetchmail 6.3.3 Eric Raymond Fetchmail 6.3.2 Eric Raymond Fetchmail 6.3.1 Eric Raymond Fetchmail 6.3 Eric Raymond Fetchmail 6.2.5 .5 Eric Raymond Fetchmail 6.2.5 .4 Eric Raymond Fetchmail 6.2.5 .2 Eric Raymond Fetchmail 6.2.5 .1 Eric Raymond Fetchmail 6.2.5 Eric Raymond Fetchmail 6.2.4 Eric Raymond Fetchmail 6.2.2 Eric Raymond Fetchmail 6.2 .0 Eric Raymond Fetchmail 6.1.3 Eric Raymond Fetchmail 6.1 .0 Eric Raymond Fetchmail 6.0 .0 Eric Raymond Fetchmail 5.9.14 Eric Raymond Fetchmail 5.9.13 Eric Raymond Fetchmail 5.9.12 Eric Raymond Fetchmail 5.9.11 Eric Raymond Fetchmail 5.9.10 Eric Raymond Fetchmail 5.9.9 Eric Raymond Fetchmail 5.9.8 Eric Raymond Fetchmail 5.9.7 Eric Raymond Fetchmail 5.9.6 Eric Raymond Fetchmail 5.9.5 Eric Raymond Fetchmail 5.9.4 Eric Raymond Fetchmail 5.9.3 Eric Raymond Fetchmail 5.9.2 Eric Raymond Fetchmail 5.9.1 Eric Raymond Fetchmail 5.9 .0 Eric Raymond Fetchmail 5.8.17 Eric Raymond Fetchmail 5.8.16 Eric Raymond Fetchmail 5.8.15 Eric Raymond Fetchmail 5.8.14 Eric Raymond Fetchmail 5.8.13 Eric Raymond Fetchmail 5.8.12 Eric Raymond Fetchmail 5.8.11 Eric Raymond Fetchmail 5.8.10 Eric Raymond Fetchmail 5.8.9 Eric Raymond Fetchmail 5.8.8 Eric Raymond Fetchmail 5.8.7 Eric Raymond Fetchmail 5.8.6 Eric Raymond Fetchmail 5.8.5 Eric Raymond Fetchmail 5.8.4 Eric Raymond Fetchmail 5.8.3 Eric Raymond Fetchmail 5.8.2 Eric Raymond Fetchmail 5.8.1 Eric Raymond Fetchmail 5.8 .0 Eric Raymond Fetchmail 5.7.4 Eric Raymond Fetchmail 5.7.3 Eric Raymond Fetchmail 5.7.2 Eric Raymond Fetchmail 5.7.1 Eric Raymond Fetchmail 5.7 Eric Raymond Fetchmail 5.6.8 Eric Raymond Fetchmail 5.6.7 Eric Raymond Fetchmail 5.6.6 Eric Raymond Fetchmail 5.6.5 Eric Raymond Fetchmail 5.6.4 Eric Raymond Fetchmail 5.6.3 Eric Raymond Fetchmail 5.6.2 Eric Raymond Fetchmail 5.6.1 Eric Raymond Fetchmail 5.6 Eric Raymond Fetchmail 5.5.6 Eric Raymond Fetchmail 5.5.5 Eric Raymond Fetchmail 5.5.4 Eric Raymond Fetchmail 5.5.3 Eric Raymond Fetchmail 5.5.2 Eric Raymond Fetchmail 5.5.1 Eric Raymond Fetchmail 5.5 Eric Raymond Fetchmail 5.4.5 Eric Raymond Fetchmail 5.4.4 Eric Raymond Fetchmail 5.4.3 Eric Raymond Fetchmail 5.4.2 Eric Raymond Fetchmail 5.4.1 Eric Raymond Fetchmail 5.4 .0 Eric Raymond Fetchmail 5.3.8 Eric Raymond Fetchmail 5.3.7 Eric Raymond Fetchmail 5.3.6 Eric Raymond Fetchmail 5.3.5 Eric Raymond Fetchmail 5.3.4 Eric Raymond Fetchmail 5.3.3 Eric Raymond Fetchmail 5.3.2 Eric Raymond Fetchmail 5.3.1 Eric Raymond Fetchmail 5.3 Eric Raymond Fetchmail 5.2 Eric Raymond Fetchmail 5.1 Eric Raymond Fetchmail 5.0 Eric Raymond Fetchmail 6.3.6-rc3 Eric Raymond Fetchmail 6.3.6-rc2 Eric Raymond Fetchmail 6.3.6-rc1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 |
| Not Vulnerable: |
Eric Raymond Fetchmail 6.3.6 |
Discussion
Fetchmail Multiple Password Information Disclosure Vulnerabilities
Fetchmail is prone to multiple information-disclosure vulnerabilities because the application discloses information about user passwords.
An attacker can exploit these issue to access sensitive information that may aid the attacker in other attacks.
These issues affect versions prior to 6.3.6-rc4
Fetchmail is prone to multiple information-disclosure vulnerabilities because the application discloses information about user passwords.
An attacker can exploit these issue to access sensitive information that may aid the attacker in other attacks.
These issues affect versions prior to 6.3.6-rc4
Exploit / POC
Fetchmail Multiple Password Information Disclosure Vulnerabilities
An attacker can exploit this issue by using standard network utilities.
An attacker can exploit this issue by using standard network utilities.
Solution / Fix
Fetchmail Multiple Password Information Disclosure Vulnerabilities
Solution:
The vendor has released updates to address these issues. Please see the references for more information.
Turbolinux Turbolinux 10 F...
Turbolinux Turbolinux FUJI
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.4.9
Eric Raymond Fetchmail 5.3.1
Eric Raymond Fetchmail 5.3.2
Eric Raymond Fetchmail 5.3.5
Eric Raymond Fetchmail 5.3.6
Eric Raymond Fetchmail 5.3.8
Eric Raymond Fetchmail 5.4.1
Eric Raymond Fetchmail 5.4.3
Eric Raymond Fetchmail 5.5.2
Eric Raymond Fetchmail 5.5.3
Eric Raymond Fetchmail 5.5.4
Eric Raymond Fetchmail 5.5.5
Eric Raymond Fetchmail 5.6.1
Eric Raymond Fetchmail 5.6.4
Eric Raymond Fetchmail 5.6.7
Eric Raymond Fetchmail 5.7.1
Eric Raymond Fetchmail 5.7.2
Eric Raymond Fetchmail 5.8.1
Eric Raymond Fetchmail 5.8.12
Eric Raymond Fetchmail 5.8.14
Eric Raymond Fetchmail 5.8.15
Eric Raymond Fetchmail 5.8.2
Eric Raymond Fetchmail 5.8.3
Eric Raymond Fetchmail 5.8.6
Eric Raymond Fetchmail 5.9.12
Eric Raymond Fetchmail 5.9.14
Eric Raymond Fetchmail 5.9.2
Eric Raymond Fetchmail 5.9.5
Eric Raymond Fetchmail 5.9.7
Eric Raymond Fetchmail 5.9.8
Eric Raymond Fetchmail 6.1 .0
Eric Raymond Fetchmail 6.1.3
Eric Raymond Fetchmail 6.2 .0
Eric Raymond Fetchmail 6.2.5 .4
Eric Raymond Fetchmail 6.2.5 .1
Eric Raymond Fetchmail 6.3.5
Solution:
The vendor has released updates to address these issues. Please see the references for more information.
Turbolinux Turbolinux 10 F...
-
Turbolinux fetchmail-6.2.5-6.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmail-6.2.5-6.i586.rpm -
Turbolinux fetchmailconf-6.2.5-6.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmailconf-6.2.5-6.i586.rpm
Turbolinux Turbolinux FUJI
-
Turbolinux fetchmail-6.2.5-6.i686.rpm
Turbolinux FUJI
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux fetchmailconf-6.2.5-6.i686.rpm
Turbolinux FUJI
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
Turbolinux Appliance Server 1.0 Workgroup Edition
-
Turbolinux fetchmail-6.2.5-6.i586.rpm
Turbolinux Appliance Server 1.0 Workgroup Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
Turbolinux Turbolinux Server 10.0
-
Turbolinux fetchmail-6.2.5-6.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
Turbolinux Turbolinux Desktop 10.0
-
Turbolinux fetchmail-6.2.5-6.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmail-6.2.5-6.i586.rpm -
Turbolinux fetchmailconf-6.2.5-6.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/fetchmailconf-6.2.5-6.i586.rpm
Apple Mac OS X Server 10.3.9
-
Apple Security Update 2007-004 (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13659&cat= 1&platform=osx&method=sa/SecUpd2007-004Univ.dmg
Apple Mac OS X Server 10.4.9
-
Apple Security Update 2007-004 (Universal)
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13659&cat= 1&platform=osx&method=sa/SecUpd2007-004Univ.dmg
Eric Raymond Fetchmail 5.3.1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.3.2
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.3.5
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.3.6
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.3.8
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.4.1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.4.3
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.5.2
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.5.3
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.5.4
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.5.5
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.6.1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.6.4
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.6.7
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.7.1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.7.2
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.12
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.14
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.15
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.2
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.3
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.8.6
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.12
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.14
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.2
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.5
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.7
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 5.9.8
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.1 .0
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.1.3
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.2 .0
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.2.5 .4
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.2.5 .1
-
Fetchmail Fetchmail 6.3.6
http://developer.berlios.de/project/showfiles.php?group_id=1824
Eric Raymond Fetchmail 6.3.5
-
SuSE fetchmail-6.3.5-23.2.i586.rpm
openSUSE 10.2
ftp://ftp.suse.com/pub/suse/i386/update/10.2/rpm/i586/fetchmail-6.3.5- 23.2.i586.rpm -
SuSE fetchmail-6.3.5-23.2.x86_64.rpm
openSUSE 10.2
ftp://ftp.suse.com/pub/suse/x86_64/update/10.2/rpm/x86_64/fetchmail-6. 3.5-23.2.x86_64.rpm
References
Fetchmail Multiple Password Information Disclosure Vulnerabilities
References:
References:
- Fetchmail 6.3.6 Release Notes (BerilOS)
- fetchmail security announcement 2006-02 (CVE-2006-5867) (Matthias Andree)
- APPLE-SA-2007-04-19 Security Update 2007-004 (Apple)
- RHSA-2007:0018-10 - fetchmail security update (Red Hat)