Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.51.0909011314140.5392@faron.mitre.org>
Date: Tue, 1 Sep 2009 13:14:56 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: cve@...re.org
Subject: Re: Re: CVE-2007-1558 update (was: mailfilter 0.8.2
 fixes CVE-2007-1558 (APOP))


Updated to include mailfilter and the versions for fetchmail.  The
oss-security posts will also be added as references.

- Steve


======================================================
Name: CVE-2007-1558
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
Reference: BUGTRAQ:20070402 APOP vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/464477/30/0/threaded
Reference: BUGTRAQ:20070403 Re: APOP vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/464569/100/0/threaded
Reference: BUGTRAQ:20070615 rPSA-2007-0122-1 evolution-data-server
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/471455/100/0/threaded
Reference: BUGTRAQ:20070619 FLEA-2007-0026-1: evolution-data-server
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/471720/100/0/threaded
Reference: BUGTRAQ:20070531 FLEA-2007-0023-1: firefox
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/470172/100/200/threaded
Reference: BUGTRAQ:20070620 FLEA-2007-0027-1: thunderbird
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/471842/100/0/threaded
Reference: MLIST:[balsa-list] 20070704 balsa-2.3.17 released
Reference: URL:http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
Reference: CONFIRM:http://docs.info.apple.com/article.html?artnum=305530
Reference: CONFIRM:http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
Reference: CONFIRM:http://sourceforge.net/forum/forum.php?forum_id=683706
Reference: CONFIRM:http://sylpheed.sraoss.jp/en/news.html
Reference: CONFIRM:http://www.claws-mail.org/news.php
Reference: CONFIRM:http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-1424
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-1232
Reference: CONFIRM:https://issues.rpath.com/browse/RPL-1231
Reference: CONFIRM:http://balsa.gnome.org/download.html
Reference: APPLE:APPLE-SA-2007-05-24
Reference: URL:http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
Reference: DEBIAN:DSA-1300
Reference: URL:http://www.debian.org/security/2007/dsa-1300
Reference: DEBIAN:DSA-1305
Reference: URL:http://www.debian.org/security/2007/dsa-1305
Reference: GENTOO:GLSA-200706-06
Reference: URL:http://security.gentoo.org/glsa/glsa-200706-06.xml
Reference: HP:HPSBUX02153
Reference: URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
Reference: HP:HPSBUX02156
Reference: URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
Reference: HP:SSRT061181
Reference: URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
Reference: HP:SSRT061236
Reference: URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
Reference: MANDRIVA:MDKSA-2007:105
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
Reference: MANDRIVA:MDKSA-2007:107
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
Reference: MANDRIVA:MDKSA-2007:113
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
Reference: MANDRIVA:MDKSA-2007:119
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
Reference: MANDRIVA:MDKSA-2007:131
Reference: URL:http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
Reference: REDHAT:RHSA-2007:0353
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0353.html
Reference: REDHAT:RHSA-2007:0344
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0344.html
Reference: REDHAT:RHSA-2007:0386
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0386.html
Reference: REDHAT:RHSA-2007:0385
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0385.html
Reference: REDHAT:RHSA-2007:0401
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0401.html
Reference: REDHAT:RHSA-2007:0402
Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0402.html
Reference: REDHAT:RHSA-2009:1140
Reference: URL:http://www.redhat.com/support/errata/RHSA-2009-1140.html
Reference: SGI:20070602-01-P
Reference: URL:ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
Reference: SLACKWARE:SSA:2007-152-02
Reference: URL:http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
Reference: SUSE:SUSE-SA:2007:036
Reference: URL:http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
Reference: SUSE:SUSE-SR:2007:014
Reference: URL:http://www.novell.com/linux/security/advisories/2007_14_sr.html
Reference: TRUSTIX:2007-0019
Reference: URL:http://www.trustix.org/errata/2007/0019/
Reference: TRUSTIX:2007-0024
Reference: URL:http://www.trustix.org/errata/2007/0024/
Reference: UBUNTU:USN-469-1
Reference: URL:http://www.ubuntu.com/usn/usn-469-1
Reference: UBUNTU:USN-520-1
Reference: URL:http://www.ubuntu.com/usn/usn-520-1
Reference: CERT:TA07-151A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA07-151A.html
Reference: BID:23257
Reference: URL:http://www.securityfocus.com/bid/23257
Reference: SECUNIA:35699
Reference: URL:http://secunia.com/advisories/35699
Reference: VUPEN:ADV-2007-1466
Reference: URL:http://www.frsirt.com/english/advisories/2007/1466
Reference: VUPEN:ADV-2007-1467
Reference: URL:http://www.frsirt.com/english/advisories/2007/1467
Reference: VUPEN:ADV-2007-1468
Reference: URL:http://www.frsirt.com/english/advisories/2007/1468
Reference: VUPEN:ADV-2007-1480
Reference: URL:http://www.frsirt.com/english/advisories/2007/1480
Reference: VUPEN:ADV-2007-1939
Reference: URL:http://www.frsirt.com/english/advisories/2007/1939
Reference: VUPEN:ADV-2007-1994
Reference: URL:http://www.frsirt.com/english/advisories/2007/1994
Reference: VUPEN:ADV-2007-2788
Reference: URL:http://www.frsirt.com/english/advisories/2007/2788
Reference: VUPEN:ADV-2008-0082
Reference: URL:http://www.frsirt.com/english/advisories/2008/0082
Reference: SECTRACK:1018008
Reference: URL:http://www.securitytracker.com/id?1018008
Reference: SECUNIA:25353
Reference: URL:http://secunia.com/advisories/25353
Reference: SECUNIA:25402
Reference: URL:http://secunia.com/advisories/25402
Reference: SECUNIA:25476
Reference: URL:http://secunia.com/advisories/25476
Reference: SECUNIA:25529
Reference: URL:http://secunia.com/advisories/25529
Reference: SECUNIA:25546
Reference: URL:http://secunia.com/advisories/25546
Reference: SECUNIA:25496
Reference: URL:http://secunia.com/advisories/25496
Reference: SECUNIA:25559
Reference: URL:http://secunia.com/advisories/25559
Reference: SECUNIA:25534
Reference: URL:http://secunia.com/advisories/25534
Reference: SECUNIA:25664
Reference: URL:http://secunia.com/advisories/25664
Reference: SECUNIA:25750
Reference: URL:http://secunia.com/advisories/25750
Reference: SECUNIA:25798
Reference: URL:http://secunia.com/advisories/25798
Reference: SECUNIA:25894
Reference: URL:http://secunia.com/advisories/25894
Reference: SECUNIA:26083
Reference: URL:http://secunia.com/advisories/26083
Reference: SECUNIA:26415
Reference: URL:http://secunia.com/advisories/26415
Reference: SECUNIA:25858
Reference: URL:http://secunia.com/advisories/25858

The APOP protocol allows remote attackers to guess the first 3
characters of a password via man-in-the-middle (MITM) attacks that use
crafted message IDs and MD5 collisions.  NOTE: this design-level issue
potentially affects all products that use APOP, including (1)
Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution,
(3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9
and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter
before 0.8.2, and possibly other products.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.