aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2005-03.txt
diff options
context:
space:
mode:
Diffstat (limited to 'fetchmail-SA-2005-03.txt')
-rw-r--r--fetchmail-SA-2005-03.txt113
1 files changed, 113 insertions, 0 deletions
diff --git a/fetchmail-SA-2005-03.txt b/fetchmail-SA-2005-03.txt
new file mode 100644
index 00000000..f8fb3448
--- /dev/null
+++ b/fetchmail-SA-2005-03.txt
@@ -0,0 +1,113 @@
+fetchmail-SA-2005-03: security announcement
+
+Topics: #1 crash retrieving headerless message in multidrop mode
+ #2 fetchmail 6.2.5.X end of life
+
+Author: Matthias Andree
+Version: 1.00
+Announced: 2005-12-19
+Type: null pointer dereference
+Impact: fetchmail crashes
+Danger: low
+Credits: Daniel Drake, Gentoo (bug report)
+ Sunil Shetye (bug fix)
+CVE Name: CVE-2005-4348
+URL: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
+ http://article.gmane.org/gmane.mail.fetchmail.user/7573
+ http://bugs.debian.org/343836
+Project URL: http://fetchmail.berlios.de/
+
+Affects: fetchmail version 6.2.5.4
+ fetchmail version 6.3.0
+
+Not affected: fetchmail 6.3.1
+ fetchmail 6.2.5.5
+ other versions not mentioned here or in the previous
+ sections have not been checked
+
+Corrected: 2005-12-19 - released fetchmail 6.3.1
+ 2005-12-18 - released fetchmail 6.3.1-rc1
+ 2005-12-19 - released fetchmail 6.2.5.5
+
+
+0. Release history
+==================
+
+2005-12-19 1.00 - initial version
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail contains a bug that causes an application crash when fetchmail
+is configured for multidrop mode and the upstream mail server sends a
+message without headers. As fetchmail does not record this message as
+"previously fetched", it will crash with the same message if it is
+re-executed, so it cannot make progress. A malicious or broken-into
+upstream server could thus cause a denial of service in fetchmail
+clients.
+
+Note that such messages are not RFC-822 conformant, so if the server has
+not been tampered with, the server software is faulty.
+
+
+3. Workaround
+=============
+
+Where possible, singledrop mode may be an alternative.
+
+For sites, where multidrop mode is required, no workaround is known.
+
+
+4. Solution
+===========
+
+Download and install fetchmail 6.3.1 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+The fix has also been backported to the 6.2.5.5 legacy release which is
+available from the same site.
+
+Note however that 6.3.X has very few incompatible changes since 6.2.5.X
+so 6.3.X should be viable for most sites. It is therefore recommended
+that every user and distributor upgrade to 6.3.1 or newer.
+
+
+5. End of life announcement
+===========================
+
+The fetchmail 6.2.5.X branch will be discontinued early in 2006.
+
+The new 6.3.X stable branch has been available since 2005-11-30
+and will not change except for bugfixes, documentation and translations.
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2005-03.txt