diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2006-11-19 11:26:46 +0000 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2006-11-19 11:26:46 +0000 |
| commit | eed0da9232f67df0e8f3b80133ca4319cd4886ab (patch) | |
| tree | f3dd3c87dde7b364263751acae15993327cac1b3 /fetchmail-SA-2006-03.txt | |
| parent | 59d59ab8425fad65e6b0afb3ee53593f099619e9 (diff) | |
| download | fetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.tar.gz fetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.tar.bz2 fetchmail-eed0da9232f67df0e8f3b80133ca4319cd4886ab.zip | |
Add new DoS advisory.
Ship 2006-02 and 2006-03 advisories.
svn path=/branches/BRANCH_6-3/; revision=4945
Diffstat (limited to 'fetchmail-SA-2006-03.txt')
| -rw-r--r-- | fetchmail-SA-2006-03.txt | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/fetchmail-SA-2006-03.txt b/fetchmail-SA-2006-03.txt new file mode 100644 index 00000000..5e404856 --- /dev/null +++ b/fetchmail-SA-2006-03.txt @@ -0,0 +1,81 @@ +fetchmail-SA-2006-03: crash when refusing message delivered through MDA + +Topics: fetchmail crashes when refusing a message to an MDA + +Author: Matthias Andree +Version: 1.0 +Announced: 2006-11-XX +Type: denial of service +Impact: fetchmail aborts prematurely +Danger: low +Credits: Neil Hoggart (bug report and analysis) +CVE Name: CVE-2006-XXXX +URL: http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt +Project URL: http://fetchmail.berlios.de/ + +Affects: fetchmail release = 6.3.5 + fetchmail release candidates 6.3.6-rc1, -rc2 + +Not affected: fetchmail release 6.3.6 + +Corrected: 2006-11-14 fetchmail SVN + + +0. Release history +================== + +2006-11-19 internal review draft + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +Fetchmail 6.3.5 and early 6.3.6 release candidates, when delivering +messages to a message delivery agent by means of the "mda" option, can +crash (by passing a NULL pointer to ferror() and fflush()) when refusing +a message. SMTP and LMTP delivery modes aren't affected. + + +3. Workaround +============= + +Avoid the mda option and ship to a local SMTP or LMTP server instead. + + +4. Solution +=========== + +Download and install fetchmail 6.3.6 or a newer stable release from +fetchmail's project site at +<http://developer.berlios.de/project/showfiles.php?group_id=1824>. + + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2006 by Matthias Andree, <matthias.andree@gmx.de>. +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END OF fetchmail-SA-2006-03.txt |