News

=========================================================== Ubuntu Security Notice USN-215-1 November 07, 2005 fetchmail vulnerability CVE-2005-3088 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: fetchmailconf The problem can be corrected by upgrading the affected package to version 6.2.5-8ubuntu2.2 (for Ubuntu 4.10), 6.2.5-12ubuntu1.2 (for Ubuntu 5.04), or 6.2.5-13ubuntu3.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Thomas Wolff and Miloslav Trmac discovered a race condition in the fetchmailconf program. The output configuration file was initially created with insecure permissions, and secure permissions were applied after writing the configuration into the file. During this time, the file was world readable on a standard system (unless the user manually tightened his umask setting), which could expose email passwords to local users.