Detections
Analytics
Debian DSA-900-3 : fetchmail - programming error
low Nessus Plugin ID 22766
Synopsis
The remote Debian host is missing a security-related update.Description
Due to restrictive dependency definition for fetchmail-ssl the updated fetchmailconf package couldn't be installed on the old stable distribution (woody) together with fetchmail-ssl. Hence, this update loosens it, so that the update can be pulled in. For completeness we're including the original advisory text :Thomas Wolff discovered that the fetchmailconf program which is provided as part of fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, creates the new configuration in an insecure fashion that can lead to leaking passwords for mail accounts to local users.
This update also fixes a regression in the package for stable caused by the last security update.
Solution
Upgrade the fetchmail package.For the old stable distribution (woody) this problem has been fixed in version 5.9.11-6.4 of fetchmail and in version 5.9.11-6.3 of fetchmail-ssl.
For the stable distribution (sarge) this problem has been fixed in version 6.2.5-12sarge3.
See Also
Plugin Details
Severity: Low
ID: 22766
File Name: debian_DSA-900.nasl
Version: 1.20
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 10/14/2006
Updated: 1/4/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Low
Base Score: 2.1
Temporal Score: 1.6
Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:fetchmail, cpe:/o:debian:debian_linux:3.0, cpe:/o:debian:debian_linux:3.1
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 10/21/2005
Reference Information
CVE: CVE-2005-3088
BID: 15179
DSA: 900