获取邮件6.0.0和更早版本中的缓冲区溢出允许远程攻击者通过(1)readHeader函数未正确处理的长标头或(2)长接收到的头执行拒绝服务(崩溃)或执行任意代码,这些标头没有被parse_received函数正确解析。
Conectiva---------Conectiva已经为此发布了一个安全公告(CLA-2002:531)以及相应补丁:CLA-2002:531:fetchmail链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000531补丁下载:ftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-5.9.12-1U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmailconf-5.9.12-1U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/fetchmail-doc-5.9.12-1U60_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/SRPMS/fetchmail-5.9.12-1U60_3cl.src.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-5.9.12-1U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmailconf-5.9.12-1U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/RPMS/fetchmail-doc-5.9.12-1U70_3cl.i386.rpmftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fetchmail-5.9.12-1U70_3cl.src.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-5.9.12-1U80_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmailconf-5.9.12-1U80_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/RPMS/fetchmail-doc-5.9.12-1U80_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/8/SRPMS/fetchmail-5.9.12-1U80_2cl.src.rpmConectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:- 把以下的文本行加入到/etc/apt/sources.list文件中:rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates(如果你不是使用6.0版本,用合适的版本号代替上面的6.0)- 执行: apt-get update- 更新以后,再执行: apt-get upgradeDebian------Debian已经为此发布了一个安全公告(DSA-171-1)以及相应补丁:DSA-171-1:New fetchmail packages fix buffer overflows链接:http://www.debian.org/security/2002/dsa-171补丁下载:Source archives:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.dscSize/MD5 checksum: 566 86a1178baa3487e805a33355ad3ae9cahttp://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2.diff.gzSize/MD5 checksum: 27775 0333f3e025e4b37abee2a64491f38eeahttp://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gzSize/MD5 checksum: 755731 d2cffc4594ec2d36db6681b800f25e2aArchitecture independent components:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.2_all.debSize/MD5 checksum: 63276 0b4940f3a569415e7c28dd96c38320cbAlpha architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_alpha.debSize/MD5 checksum: 371634 1baca38aca2bf43437d56e10ed88a862ARM architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_arm.debSize/MD5 checksum: 349456 44de8a9abf92435bbf5b964f3acc0fa6Intel IA-32 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_i386.debSize/MD5 checksum: 319508 a6574ad75f79694b96f51b9773be623bMotorola 680x0 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_m68k.debSize/MD5 checksum: 315662 cfce75c2bf709837dfbc3dc6708abd81PowerPC architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_powerpc.debSize/MD5 checksum: 350250 8129d3f2ce8d0c0bd2403266b48a6bdeSun Sparc architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.2_sparc.debSize/MD5 checksum: 350714 2c12d41c04324b5df87238d46f80cb76Debian GNU/Linux 3.0 alias woody- --------------------------------Source archives:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.dscSize/MD5 checksum: 712 f10e451766beab56196f34798c7ba9dbhttp://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1.diff.gzSize/MD5 checksum: 300108 b9fa639e6a9582ac96d7ec4a495b0a3chttp://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gzSize/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96ddhttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.dscSize/MD5 checksum: 707 43775de628a7fc825041f699c59a9578http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1.diff.gzSize/MD5 checksum: 296194 e1e0e64a296b6f0454298fc1dedf808dhttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gzSize/MD5 checksum: 950273 fff00cbf7be1d01a17605fee23ac96ddArchitecture independent components:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.1_all.debSize/MD5 checksum: 165264 7256588af225867b680d786915073439http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.9.11-6.1_all.debSize/MD5 checksum: 92606 573f619586119ee527148b3088217218Alpha architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_alpha.debSize/MD5 checksum: 307112 1918fce521b142b4a11d10fef21cb38ahttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_alpha.debSize/MD5 checksum: 310008 8a18b847ae9bdd226f3748fa548ace0fARM architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_arm.debSize/MD5 checksum: 290742 4955b54e130b9e45eef293325a82cd0ahttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_arm.debSize/MD5 checksum: 296680 490047165eb9bbca27f9b453e0fd9d27Intel IA-32 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_i386.debSize/MD5 checksum: 286470 0fca1845b94f27245162f0de4b5777d7http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_i386.debSize/MD5 checksum: 291966 1b8ed084094d2cf1f6682db62ee54d67Intel IA-64 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_ia64.debSize/MD5 checksum: 329914 23051aaf0046637631d2e4c96b70c66ahttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_ia64.debSize/MD5 checksum: 333966 4d0c09698b8b12cb119261a4a35571ccHP Precision architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_hppa.debSize/MD5 checksum: 299088 9deaf7d0d1018e8209e3862d78a3c44bhttp://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_hppa.debSize/MD5 checksum: 301960 aaccf885a569e81345572e795d46d573Motorola 680x0 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_m68k.debSize/MD5 checksum: 281246 a77ac90a3a7916288269518b3042e8e5http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_m68k.debSize/MD5 checksum: 286362 0293d1d12c7b54a7969cddbeca0853a5Big endian MIPS architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mips.debSize/MD5 checksum: 296514 5d2c39988e39dc693ba7f383bd49ecf2http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mips.debSize/MD5 checksum: 301052 0c3d1dd12f378814019d92429f258181Little endian MIPS architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_mipsel.debSize/MD5 checksum: 296000 73386d2c899c9a82ea377b9665f07030http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_mipsel.debSize/MD5 checksum: 300584 5be1cc938485af3dc9637dfd32befcf5PowerPC architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_powerpc.debSize/MD5 checksum: 291650 61fb21611565abd5d22ab24985b011c7http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_powerpc.debSize/MD5 checksum: 297674 8c1ab3280ab7e54f1782be1529d39168IBM S/390 architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_s390.debSize/MD5 checksum: 288912 87746376aba7f9c10c3c03e2f0d98852http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_s390.debSize/MD5 checksum: 294550 e147d29c60457d637bfccb632e7ac688Sun Sparc architecture:http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.1_sparc.debSize/MD5 checksum: 293394 0df6d54de254121e19dcaf28dc5bd983http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.1_sparc.debSize/MD5 checksum: 298082 9e6c4afb65dad122947af7c8c92d1e77补丁安装方法:1. 手工安装补丁包:首先,使用下面的命令来下载补丁软件:# wget url (url是补丁下载链接地址然后,使用下面的命令来安装补丁:# dpkg -i file.deb (file是相应的补丁名2. 使用apt-get自动安装补丁包:首先,使用下面的命令更新内部数据库:# apt-get update然后,使用下面的命令安装更新软件包:# apt-get upgradeRedHat------RedHat已经为此发布了一个安全公告(RHSA-2002:215-09)以及相应补丁:RHSA-2002:215-09:Updated fetchmail packages fix vulnerabilities链接:https://www.redhat.com/support/errata/RHSA-2002-215.html补丁下载:Red Hat RPM fetchmail-5.9.0-18.alpha.rpmftp://updates.redhat.com/6.2/en/os/alpha/fetchmail-5.9.0-18.alpha.rpmRed Hat RPM fetchmail-5.9.0-18.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/fetchmail-5.9.0-18.i386.rpmRed Hat RPM fetchmail-5.9.0-18.sparc.rpmftp://updates.redhat.com/6.2/en/os/sparc/fetchmail-5.9.0-18.sparc.rpmRed Hat RPM fetchmail-5.9.0-19.alpha.rpmftp://updates.redhat.com/7.0/en/os/alpha/fetchmail-5.9.0-19.alpha.rpmRed Hat RPM fetchmail-5.9.0-19.alpha.rpmftp://updates.redhat.com/7.1/en/os/alpha/fetchmail-5.9.0-19.alpha.rpmRed Hat RPM fetchmail-5.9.0-19.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/fetchmail-5.9.0-19.i386.rpmRed Hat RPM fetchmail-5.9.0-19.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/fetchmail-5.9.0-19.i386.rpmRed Hat RPM fetchmail-5.9.0-19.ia64.rpmftp://updates.redhat.com/7.1/en/os/ia64/fetchmail-5.9.0-19.ia64.rpmRed Hat RPM fetchmail-5.9.0-20.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/fetchmail-5.9.0-20.i386.rpmRed Hat RPM fetchmail-5.9.0-20.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/fetchmail-5.9.0-20.i386.rpmRed Hat RPM fetchmail-5.9.0-20.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/fetchmail-5.9.0-20.ia64.rpmRed Hat RPM fetchmail-5.9.0-21.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/fetchmail-5.9.0-21.i386.rpmRed Hat RPM fetchmailconf-5.9.0-18.alpha.rpmftp://updates.redhat.com/6.2/en/os/alpha/fetchmailconf-5.9.0-18.alpha.rpmRed Hat RPM fetchmailconf-5.9.0-18.i386.rpmftp://updates.redhat.com/6.2/en/os/i386/fetchmailconf-5.9.0-18.i386.rpmRed Hat RPM fetchmailconf-5.9.0-18.sparc.rpmftp://updates.redhat.com/6.2/en/os/sparc/fetchmailconf-5.9.0-18.sparc.rpmRed Hat RPM fetchmailconf-5.9.0-19.alpha.rpmftp://updates.redhat.com/7.0/en/os/alpha/fetchmailconf-5.9.0-19.alpha.rpmRed Hat RPM fetchmailconf-5.9.0-19.alpha.rpmftp://updates.redhat.com/7.1/en/os/alpha/fetchmailconf-5.9.0-19.alpha.rpmRed Hat RPM fetchmailconf-5.9.0-19.i386.rpmftp://updates.redhat.com/7.0/en/os/i386/fetchmailconf-5.9.0-19.i386.rpmRed Hat RPM fetchmailconf-5.9.0-19.i386.rpmftp://updates.redhat.com/7.1/en/os/i386/fetchmailconf-5.9.0-19.i386.rpmRed Hat RPM fetchmailconf-5.9.0-19.ia64.rpmftp://updates.redhat.com/7.1/en/os/ia64/fetchmailconf-5.9.0-19.ia64.rpmRed Hat RPM fetchmailconf-5.9.0-20.i386.rpmftp://updates.redhat.com/7.2/en/os/i386/fetchmailconf-5.9.0-20.i386.rpmRed Hat RPM fetchmailconf-5.9.0-20.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/fetchmailconf-5.9.0-20.i386.rpmRed Hat RPM fetchmailconf-5.9.0-20.ia64.rpmftp://updates.redhat.com/7.2/en/os/ia64/fetchmailconf-5.9.0-20.ia64.rpmEric Raymond------------目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:Eric Raymond Upgrade fetchmail-6.1.0.tar.gzhttp://www.tuxedo.org/~esr/fetchmail/fetchmail-6.1.0.tar.gz