Mandriva Update For Fetchmail MDKSA-2007:105 (fetchmail) Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

The APOP functionality in fetchmail's POP3 client implementation was validating the APOP challenge too lightly, accepting random garbage as a POP3 server's APOP challenge, rather than insisting it conform to RFC-822 specifications. As a result of this flaw, it made man-in-the-middle attacks easier than necessary to retrieve the first few characters of the APOP secret, allowing them to potentially brute force the remaining characters easier than should be possible. Updated packages have been patched to prevent these issues, however it should be noted that the APOP MD5-based authentication scheme should no longer be considered secure.

Affected

fetchmail on Mandriva Linux 2007.0, Mandriva Linux 2007.0/X86_64, Mandriva Linux 2007.1, Mandriva Linux 2007.1/X86_64

Severity

Classification

CVE CVE-2007-1558
CVSS Base Score: 2.6
AV:N/AC:H/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Mandriva Security Advisory MDVSA-2009:313-1 (bind)
Mandriva Update for ncpfs MDVSA-2010:061 (ncpfs)
Mandriva Update for wireshark MDVSA-2012:125 (wireshark)
Mandriva Update for kdebase4-workspace MDVA-2008:156-1 (kdebase4-workspace)
Mandriva Update for timezone MDVA-2011:072 (timezone)

Mandriva Update for fetchmail MDKSA-2007:105 (fetchmail)

Take action and discover your vulnerabilities