kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add a vuln' entry for fetchmail's CVE-2011-3389 vulnerability.

Browse source
This commit is contained in:
Matthias Andree 2012-08-30 06:23:21 +00:00
parent a553b8d753
commit 38ee66a4ac
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=303361
1 changed files with 35 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
security/vuxml/vuln.xml
View file

@ -51,6 +51,40 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec">
<topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic>
<affects>
<package>
<name>fetchmail</name>
<range><ge>6.3.9</ge><lt>6.3.22</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-01.txt">
<p>Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case.
Stream ciphers (such as RC4) are unaffected.
</p><p>
Credits to Apple Product Security for reporting this.
</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2011-3389</cvename>
</references>
<dates>
<discovery>2012-01-19</discovery>
<entry>2012-08-30</entry>
</dates>
</vuln>
<vuln vid="c906e0a4-efa6-11e1-8fbf-001b77d09812">
<topic>roundcube -- cross-site scripting in HTML email messages</topic>
<affects>
@ -617,7 +651,7 @@ Note: Please add new entries to the beginning of this file.
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
<blockquote cite="http://gitorious.org/fetchmail/fetchmail/blobs/raw/legacy_63/fetchmail-SA-2012-02.txt">
<blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-02.txt">
<p>With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.</p>