|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200511-06] fetchmail: Password exposure in fetchmailconf Vulnerability Scan
Vulnerability Scan Summary
fetchmail: Password exposure in fetchmailconf
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200511-06
(fetchmail: Password exposure in fetchmailconf)
Thomas Wolff discovered that fetchmailconf opens the configuration
file with default permissions, writes the configuration to it, and only
then restricts read permissions to the owner.
Impact
A local attacker could exploit the race condition to retrieve
sensitive information like IMAP/POP passwords.
Workaround
Run "umask 077" to temporarily strengthen default permissions,
then run "fetchmailconf" from the same shell.
References:
http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088
Solution:
All fetchmail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2-r1"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|
