svn commit: r303361 - head/security/vuxml
Matthias Andree
mandree at FreeBSD.org
Thu Aug 30 06:23:22 UTC 2012
Author: mandree
Date: Thu Aug 30 06:23:21 2012
New Revision: 303361
URL: http://svn.freebsd.org/changeset/ports/303361
Log:
Add a vuln' entry for fetchmail's CVE-2011-3389 vulnerability.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Aug 30 05:32:57 2012 (r303360)
+++ head/security/vuxml/vuln.xml Thu Aug 30 06:23:21 2012 (r303361)
@@ -51,6 +51,40 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec">
+ <topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic>
+ <affects>
+ <package>
+ <name>fetchmail</name>
+ <range><ge>6.3.9</ge><lt>6.3.22</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Matthias Andree reports:</p>
+ <blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-01.txt">
+ <p>Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which
+ contains a switch to disable a countermeasure against certain attacks
+ against block ciphers that permit guessing the initialization vectors,
+ providing that an attacker can make the application (fetchmail) encrypt
+ some data for him -- which is not easily the case.
+
+ Stream ciphers (such as RC4) are unaffected.
+ </p><p>
+ Credits to Apple Product Security for reporting this.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2011-3389</cvename>
+ </references>
+ <dates>
+ <discovery>2012-01-19</discovery>
+ <entry>2012-08-30</entry>
+ </dates>
+ </vuln>
+
<vuln vid="c906e0a4-efa6-11e1-8fbf-001b77d09812">
<topic>roundcube -- cross-site scripting in HTML email messages</topic>
<affects>
@@ -617,7 +651,7 @@ Note: Please add new entries to the beg
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Matthias Andree reports:</p>
- <blockquote cite="http://gitorious.org/fetchmail/fetchmail/blobs/raw/legacy_63/fetchmail-SA-2012-02.txt">
+ <blockquote cite="http://www.fetchmail.info/fetchmail-SA-2012-02.txt">
<p>With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.</p>
More information about the svn-ports-all
mailing list