Update website for 6.5.0.beta4 release.

1 files changed, 119 insertions, 0 deletions

diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt
new file mode 100644
index 00000000..5f2563be
--- /dev/null
+++ b/website/fetchmail-SA-2021-01.txt
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+fetchmail-SA-2021-01: DoS or information disclosure logging long messages
+
+Topics:		fetchmail denial of service or information disclosure when logging long messages
+
+Author:		Matthias Andree
+Version:	1.1
+Announced:	2021-07-28
+Type:		missing variable initialization can cause read from bad memory 
+		locations
+Impact:		fetchmail logs random information, or segfaults and aborts, 
+		stalling inbound mail
+Danger:		low
+Acknowledgment:	Christian Herdtweck, Intra2net AG, Tübingen, Germany
+		for analysis and report and a patch suggestion
+
+CVE Name:	CVE-2021-36386
+URL:		https://www.fetchmail.info/fetchmail-SA-2021-01.txt
+Project URL:	https://www.fetchmail.info/
+
+Affects:	- fetchmail releases up to and including 6.4.19
+
+Not affected:	- fetchmail releases 6.4.20 and newer
+
+Corrected in:	c546c829 Git commit hash
+
+		2021-07-28 fetchmail 6.4.20 release tarball
+
+
+0. Release history
+==================
+
+2021-07-07	initial report to maintainer
+2021-07-28 1.0	release
+2021-07-28 1.1	update Git commit hash with correction
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail has long had support to assemble log/error messages that are 
+generated piecemeal, and takes care to reallocate the output buffer as needed.  
+In the reallocation case, i. e. when long log messages are assembled that can 
+stem from very long headers, and on systems that have a varargs.h/stdarg.h 
+interface (all modern systems), fetchmail's code would fail to reinitialize 
+the va_list argument to vsnprintf. 
+
+The exact effects depend on the verbose mode (how many -v are given) of 
+fetchmail, computer architecture, compiler, operating system and 
+configuration.  On some systems, the code just works without ill effects, some 
+systems log a garbage message (potentially disclosing sensitive information), 
+some systems log literally "(null)", some systems trigger SIGSEGV (signal 
+#11), which crashes fetchmail, causing a denial of service on fetchmail's end.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.4.20 or newer.
+
+The fetchmail source code is available from
+<https://sourceforge.net/projects/fetchmail/files/>.
+
+Distributors are encouraged to review the NEWS file and move forward to 
+6.4.20, rather than backport individual security fixes, because doing so 
+routinely misses other fixes crucial to fetchmail's proper operation, 
+for which no security announcements are issued, or documentation,
+or translation updates.
+
+Fetchmail 6.4.X releases have been made with a focus on unchanged user and 
+program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 
+6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface 
+incompatibly.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC 
+BY-ND 4.0. To view a copy of this license, visit 
+http://creativecommons.org/licenses/by-nd/4.0/
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2021-01
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z
+hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft
+JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7
+55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK
+ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC
+h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9
+8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR
+fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh
+/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc
+aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI
+cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR
+/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE=
+=1rxO
+-----END PGP SIGNATURE-----