175022 2007-04-18 05:24 0000 net-mail/fetchmail APOP design error (CVE-2007-1558) 2007-06-24 23:27:07 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558 B? [noglsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org net-mail@gentoo.org jaervosz@gentoo.org 2007-04-18 05:24:22 0000 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. ticho@gentoo.org 2007-04-18 06:30:45 0000 From fetchmail-6.3.8's changelog: fetchmail 6.3.8 (released 2007-04-06): # SECURITY STRENGTHENING: * Make the APOP challenge parser more distrustful and have it reject challenges that do not conform to RFC-822 msg-id format, in the hope to make mounting man-in-the-middle attacks (MITM) against APOP a bit more difficult. (CVE-2007-1558, reported by Gaëtan Leurent, published 2007-04-02 on Bugtraq) APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical setups: based on MD5 collisions, it is purportedly possible to recover the first three characters of the shared secret (password), which would then make recovery of the shared secret a matter of hours or minutes; this would then enable the attacker to impersonate the client vis-à-vis the server. For further details, check * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in Springer's Lecture Notes on Computer Science.) * The mailing list discussion thread at <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html> ticho@gentoo.org 2007-04-22 22:01:04 0000 Um, I forgot to mention that 6.3.8 has been in the tree for quite some time now... jaervosz@gentoo.org 2007-04-30 09:13:17 0000 Thx Ticho. Arches please test and mark stable. Target keywords are: fetchmail-6.3.8.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd" armin76@gentoo.org 2007-04-30 11:53:13 0000 ia64 + x86 stable gustavoz@gentoo.org 2007-04-30 12:27:07 0000 sparc stable. beandog@gentoo.org 2007-04-30 13:50:51 0000 amd64 stable corsair@gentoo.org 2007-05-01 09:23:13 0000 ppc64 stable jer@gentoo.org 2007-05-02 01:02:43 0000 Stable for HPPA. kloeri@gentoo.org 2007-05-02 12:53:33 0000 Alpha done. dertobi123@gentoo.org 2007-05-03 18:41:21 0000 ppc stable, ready for GLSA voting py@gentoo.org 2007-05-03 18:46:13 0000 voting NO. 3 chars != full password, if someone uses a 3 chars password he has more serious problems to worry about :) jaervosz@gentoo.org 2007-05-03 18:55:57 0000 Voting NO and closing. Feel free to reopen if you disagree. kumba@gentoo.org 2007-05-13 00:05:04 0000 mips stable.