Rapid7 Vulnerability & Exploit Database

RHSA-2002:047: Updated fetchmail packages available

Back to Search

RHSA-2002:047: Updated fetchmail packages available

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
06/25/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched versions of fetchmail prior to 5.9.10.

When retrieving mail from an IMAP server, the fetchmail e-mail client will allocate an array to store the sizes of the messages which it will attempt to fetch. The size of the array is determined by the number of messages that the server claims to have. Unpatched versions of fetchmail prior to 5.9.10 did not check whether the number of e-mails the server claimed was too high, allowing a malicious server to cause the fetchmail process to write data outside of the array bounds. Users of fetchmail are advised to upgrade to this errata package which is not vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0146 to this issue.

Solution(s)

  • redhat-upgrade-fetchmail
  • redhat-upgrade-fetchmailconf

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;