diff options
| -rw-r--r-- | fetchmail-SA-2005-01.txt | 26 | ||||
| -rw-r--r-- | fetchmail-SA-2005-02.txt | 26 |
2 files changed, 18 insertions, 34 deletions
diff --git a/fetchmail-SA-2005-01.txt b/fetchmail-SA-2005-01.txt index 753234e2..129fe434 100644 --- a/fetchmail-SA-2005-01.txt +++ b/fetchmail-SA-2005-01.txt @@ -3,7 +3,7 @@ fetchmail-SA-2005-01: security announcement Topic: remote code injection vulnerability in fetchmail Author: Matthias Andree -Version: 1.03 +Version: 1.04 Announced: 2005-07-21 Type: buffer overrun/stack corruption/code injection Impact: account or system compromise possible through malicious @@ -29,8 +29,8 @@ Affects: fetchmail version 6.2.5.1 (denial of service) (other versions have not been checked) Not affected: fetchmail 6.2.5.2 - fetchmail 6.2.6-pre7 - fetchmail 6.3.0 (not released yet) + fetchmail 6.2.5.4 + fetchmail 6.3.0 Older versions may not have THIS bug, but had been found to contain other security-relevant bugs. @@ -38,6 +38,8 @@ Not affected: fetchmail 6.2.5.2 Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157) 2005-07-22 fetchmail-patch-6.2.5.2 released 2005-07-23 fetchmail-6.2.5.2 tarball released + 2005-11-13 fetchmail-6.2.5.4 tarball released + 2005-11-30 fetchmail-6.3.0 tarball released 0. Release history @@ -56,6 +58,8 @@ Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157) - Add heise security URL. - Mention release of 6.2.5.2 tarball. 2005-10-27 1.03 - Update CVE Name after CVE naming change +2005-12-08 1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected" + - remove patch information 1. Background @@ -94,24 +98,10 @@ No reasonable workaround can be offered at this time. 5. Solution -Upgrade your fetchmail package to version 6.2.5.2. - -You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz, -or you can download a patch against fetchmail-6.2.5 if you already have -the 6.2.5 tarball. Either is available from: +Upgrade your fetchmail package to version 6.3.0 or newer. <http://developer.berlios.de/project/showfiles.php?group_id=1824> -To use the patch: - - 1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already - had downloaded) and fetchmail-patch-6.2.5.2.tar.gz - 2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf - - 3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz - 4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2 - 5. now configure and build as usual - detailed instructions in the file - named "INSTALL". - A. References fetchmail home page: <http://fetchmail.berlios.de/> diff --git a/fetchmail-SA-2005-02.txt b/fetchmail-SA-2005-02.txt index 375c8ef4..271a3d02 100644 --- a/fetchmail-SA-2005-02.txt +++ b/fetchmail-SA-2005-02.txt @@ -3,7 +3,7 @@ fetchmail-SA-2005-02: security announcement Topic: password exposure in fetchmailconf Author: Matthias Andree -Version: 1.02 +Version: 1.03 Announced: 2005-10-21 Type: insecure creation of file Impact: passwords are written to a world-readable file @@ -20,14 +20,14 @@ Affects: fetchmail version 6.2.5.2 fetchmailconf 1.43.1 (shipped separately, now withdrawn) (other versions have not been checked but are presumed affected) -Not affected: fetchmail 6.2.9-rc6 - fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) - fetchmailconf 1.49 (shipped with 6.2.9-rc6) - fetchmail 6.3.0 (not released yet) +Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) + fetchmail 6.2.5.4 + fetchmail 6.3.0 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) 2005-10-21 - released fetchmailconf-1.43.2 - 2005-10-21 - released fetchmail 6.2.9-rc6 + 2005-11-13 - released fetchmail 6.2.5.4 + 2005-11-30 - released fetchmail 6.3.0 0. Release history ================== @@ -38,6 +38,7 @@ Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) - added Credits 2005-10-27 1.02 - reformatted section 0 - updated CVE Name to new naming scheme +2005-12-08 1.03 - update version information and solution 1. Background ============= @@ -68,16 +69,9 @@ fetchmailconf has finished, you can restore your old umask. 4. Solution =========== -For users of fetchmail-6.2.5.2: -------------------------------- -Download fetchmailconf-1.43.2.gz from fetchmail's project site -<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>, -gunzip it, then replace your existing fetchmailconf with it. - -For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: ---------------------------------------------------------- -update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21. -<https://developer.berlios.de/project/showfiles.php?group_id=1824> +Download and install fetchmail 6.3.0 or a newer stable release from +fetchmail's project site at +<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>. A. References ============= |