aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2010-02-09 10:41:30 +0100
committerMatthias Andree <matthias.andree@gmx.de>2010-02-09 10:41:30 +0100
commit92131c83dbc2ccba80c04efcd07b28852a648cf2 (patch)
tree36cc2e2f3130b5f455ddcf80b4cab088d226d405
parent3d6557294f6324efcf4daaeb060c8e97112c9e91 (diff)
downloadfetchmail-92131c83dbc2ccba80c04efcd07b28852a648cf2.tar.gz
fetchmail-92131c83dbc2ccba80c04efcd07b28852a648cf2.tar.bz2
fetchmail-92131c83dbc2ccba80c04efcd07b28852a648cf2.zip
Add CVE for sdump X.509 display bug in 6.3.11-6.3.13.
-rw-r--r--NEWS6
-rw-r--r--fetchmail-SA-2010-01.txt13
2 files changed, 11 insertions, 8 deletions
diff --git a/NEWS b/NEWS
index c8ee0933..e2c04976 100644
--- a/NEWS
+++ b/NEWS
@@ -67,9 +67,9 @@ fetchmail 6.3.15 (not yet released):
fetchmail 6.3.14 (released 2010-02-05, 25487 LoC):
# SECURITY FIXES
-* SSL/TLS certificate information is now also reported properly on computers
- that consider the "char" type signed. Fixes malloc() buffer overrun.
- Workaround for older versions: do not use verbose mode.
+* CVE-2010-0562: SSL/TLS certificate information is now also reported properly
+ on computers that consider the "char" type signed. Fixes malloc() buffer
+ overrun. Workaround for older versions: do not use verbose mode.
See fetchmail-SA-2010-01.txt for details, including a minimal patch.
# BUG FIXES
diff --git a/fetchmail-SA-2010-01.txt b/fetchmail-SA-2010-01.txt
index ea2b6617..d6276412 100644
--- a/fetchmail-SA-2010-01.txt
+++ b/fetchmail-SA-2010-01.txt
@@ -7,12 +7,13 @@ Topics: Heap overrun in verbose SSL certificate information display.
Author: Matthias Andree
Version: 1.0
-Announced:
+Announced: 2010-02-05
Type: malloc() Buffer overrun with printable characters
Impact: Code injection (difficult).
Danger: low
-CVE Name: to be assigned via oss-security@ list
+CVE Name: CVE-2010-0562
+CVSSv2: (AV:N/AC:H/Au:N/C:N/I:C/A:P/E:U/RL:O/RC:C) proposed
URL: http://www.fetchmail.info/fetchmail-SA-2010-01.txt
Project URL: http://www.fetchmail.info/
@@ -21,6 +22,7 @@ Affects: fetchmail releases 6.3.11, 6.3.12, and 6.3.13
Not affected: fetchmail release 6.3.14 and newer
Corrected: 2010-02-04 fetchmail SVN (r5467)
+ Git (f1c7607615ebd48807db6170937fe79bb89d47d4)
2010-02-05 fetchmail release 6.3.14
@@ -29,6 +31,7 @@ Corrected: 2010-02-04 fetchmail SVN (r5467)
2010-02-04 0.1 first draft (visible in SVN and through oss-security)
2010-02-05 1.0 fixed signed/unsigned typo (found by Nico Golde)
+2010-02-09 1.1 added CVE/CVSS, Announced: date
1. Background
@@ -135,7 +138,7 @@ END OF fetchmail-SA-2010-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
-iEYEARECAAYFAktrbs0ACgkQvmGDOQUufZWzMQCg49F/WJiOjGwWZKHHzBcfTgx/
-sLIAmQHPO3mezy3Ku0O29b4AXHL2ZQNb
-=kF7s
+iEYEARECAAYFAktxLWcACgkQvmGDOQUufZUGBQCg8AU5mXRaGBo+tETsGYjFX10m
+6SYAnA6IVIeoTjKvspD8BnLLd0yGU2iw
+=b7ry
-----END PGP SIGNATURE-----