Document fix for NTLM crash, + Security advisory (draft).

author: Matthias Andree <matthias.andree@gmx.de> 2012-08-13 21:23:41 +0200
committer: Matthias Andree <matthias.andree@gmx.de> 2012-08-13 21:23:41 +0200
commit: f1c0ba89205211f7f723ca81c0130dde30dca336 (patch)
tree: c01c306af775cbc3a57c6d527a8dc773eef78ded /NEWS
parent: c5f27176c54910a45ea469cae07952b98a7b197e (diff)
download: fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.gz
fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.bz2
fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index cb6e5d14..3ee8d85b 100644
--- a/NEWS
+++ b/NEWS
@@ -58,7 +58,14 @@ removed from a 6.4.0 or newer release.)
 
 fetchmail-6.3.22 (not yet released):
 
-# SECURITY FIX
+# SECURITY FIXES
+* CVE-2012-(not yet assigned):
+  NTLM: fetchmail mistook an error message that the server sent in response to
+  an NTLM request for protocol exchange, tried to decode it, and crashed while
+  reading from a bad memory location.
+  Fix: Detect base64 decoding errors and abort NTLM authentication.
+  See fetchmail-SA-2012-02.txt for further details.
+  Reported by J. Porter Clark.
 * CVE-2011-3389:
   SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure 
   against a certain kind of attack against cipher block chaining initialization
author	Matthias Andree <matthias.andree@gmx.de>	2012-08-13 21:23:41 +0200
committer	Matthias Andree <matthias.andree@gmx.de>	2012-08-13 21:23:41 +0200
commit	f1c0ba89205211f7f723ca81c0130dde30dca336 (patch)
tree	c01c306af775cbc3a57c6d527a8dc773eef78ded /NEWS
parent	c5f27176c54910a45ea469cae07952b98a7b197e (diff)
download	fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.gz fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.tar.bz2 fetchmail-f1c0ba89205211f7f723ca81c0130dde30dca336.zip