Note: This is an archival copy of Security Sun Alert 200360 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000253.1.
Article ID : 1000253.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-06
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun Linux/Sun Cobalt Security Vulnerability in "fetchmail"


Release Phase

Date of Workaround Release

Date of Resolved Release

1. Impact

On Sun Linux and Sun Cobalt systems, a remote user may be able to execute arbitrary commands with access rights of another user who is running the "fetchmail" program. Depending on the system's configuration, this could lead to unauthorized root access.

This issue is described in

2. Contributing Factors

This issue can occur in the following releases:

Sun Linux 5.0

  • fetchmail-5.9.0-1.i386.rpm

Qube 2

  • fetchmail-4.7.4-1.mips.rpm

Qube 3

  • fetchmail-5.5.0-1C1.i386.rpm

Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server.

3. Symptoms

There are no symptoms that would show the described issue has been exploited on a system.

4. Workaround

As a possible workaround, for Sun Cobalt Server Appliances (Qube 3, and Qube 2) disable remote mail acquisition through the Cobalt GUI (go to the "Email Services" tab under "Remote Retrieval" and uncheck the "Enable Remote Retrieval" check box). As a result, remote mail retrieval will not function until re-enabled.

5. Resolution

This issue is addressed in the following releases:

Sun Linux 5.0

  • fetchmail-5.9.0-21.7.3.i386.rpm
  • fetchmailconf-5.9.0-21.7.3.i386.rpm
  • fetchmail-5.9.0-21.7.3.src.rpm

Cobalt Qube 3

  • Qube3-All-Security-4.0.1-16169.pkg

Instructions for downloading the above packages can be found in 1234813.1 in MyOracleSupport.

Note: This Sun Alert was originally created to resolve the issue described in

The above patches address the issues described in also.

Sun Cobalt Qube 3 Server

Modification History
24-JUN-2003: Updated Resolution section. Resolved.

This solution has no attachment