aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2006-11-19 11:26:46 +0000
committerMatthias Andree <matthias.andree@gmx.de>2006-11-19 11:26:46 +0000
commiteed0da9232f67df0e8f3b80133ca4319cd4886ab (patch)
treef3dd3c87dde7b364263751acae15993327cac1b3
parent59d59ab8425fad65e6b0afb3ee53593f099619e9 (diff)
downloadfetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.tar.gz
fetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.tar.bz2
fetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.zip
Add new DoS advisory.
Ship 2006-02 and 2006-03 advisories. svn path=/branches/BRANCH_6-3/; revision=4945
-rw-r--r--Makefile.am2
-rw-r--r--fetchmail-SA-2006-03.txt81
2 files changed, 83 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index db06fee0..916e63fb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -127,6 +127,8 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \
fetchmail-features.html README.SSL README.NTLM \
README.packaging \
fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \
+ fetchmail-SA-2006-03.txt \
+ fetchmail-SA-2006-02.txt \
fetchmail-SA-2006-01.txt \
fetchmail-SA-2005-01.txt \
fetchmail-SA-2005-02.txt \
diff --git a/fetchmail-SA-2006-03.txt b/fetchmail-SA-2006-03.txt
new file mode 100644
index 00000000..5e404856
--- /dev/null
+++ b/fetchmail-SA-2006-03.txt
@@ -0,0 +1,81 @@
+fetchmail-SA-2006-03: crash when refusing message delivered through MDA
+
+Topics: fetchmail crashes when refusing a message to an MDA
+
+Author: Matthias Andree
+Version: 1.0
+Announced: 2006-11-XX
+Type: denial of service
+Impact: fetchmail aborts prematurely
+Danger: low
+Credits: Neil Hoggart (bug report and analysis)
+CVE Name: CVE-2006-XXXX
+URL: http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
+Project URL: http://fetchmail.berlios.de/
+
+Affects: fetchmail release = 6.3.5
+ fetchmail release candidates 6.3.6-rc1, -rc2
+
+Not affected: fetchmail release 6.3.6
+
+Corrected: 2006-11-14 fetchmail SVN
+
+
+0. Release history
+==================
+
+2006-11-19 internal review draft
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail 6.3.5 and early 6.3.6 release candidates, when delivering
+messages to a message delivery agent by means of the "mda" option, can
+crash (by passing a NULL pointer to ferror() and fflush()) when refusing
+a message. SMTP and LMTP delivery modes aren't affected.
+
+
+3. Workaround
+=============
+
+Avoid the mda option and ship to a local SMTP or LMTP server instead.
+
+
+4. Solution
+===========
+
+Download and install fetchmail 6.3.6 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2006 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2006-03.txt