aboutsummaryrefslogtreecommitdiffstats
path: root/website
diff options
context:
space:
mode:
Diffstat (limited to 'website')
-rw-r--r--website/index.html24
-rw-r--r--website/security.html63
2 files changed, 68 insertions, 19 deletions
diff --git a/website/index.html b/website/index.html
index 2cca1f82..f8136dcb 100644
--- a/website/index.html
+++ b/website/index.html
@@ -29,7 +29,8 @@
<a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br>
<a href="design-notes.html">Design Notes</a><br>
<a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">Download</a><br>
- <a href="http://gitorious.org/fetchmail/fetchmail/">Development Code</a><br>
+ <a href="security.html">Security</a><br>
+ <a href="http://gitorious.org/fetchmail/fetchmail/">Development</a><br>
<a href="http://developer.berlios.de/projects/fetchmail/">Project Page</a><br>
<hr>
</div>
@@ -56,24 +57,9 @@
</div>
<div style="background-color:#ffe0c0;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1>
- <p style="font-size:100%">These security issues (listed immediately below) have become
- known to the fetchmail maintainer to the date mentioned above. Note
- that fetchmail 6.2.X and older are no longer supported and contain
- some of the problems mentioned below, even if they aren't mentioned
- in the security announcements:</p>
- <ul>
- <li>CVE-XXXX-XXXX: Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li>
- <li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li>
- <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
- <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
-</ul>
+ <p>These have been moved <a href="security.html">to a separate
+ page (click here for security information)</a> to unclutter the
+ front page.
<p style="font-size:100%"><strong>Please <a
href="http://developer.berlios.de/project/showfiles.php?group_id=1824">update
diff --git a/website/security.html b/website/security.html
new file mode 100644
index 00000000..6825ee22
--- /dev/null
+++ b/website/security.html
@@ -0,0 +1,63 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<link rel="stylesheet" href="sitestyle.css" type="text/css">
+<meta name="description" content="The Fetchmail Project">
+<meta name="keywords" content="fetchmail, pop3, imap, email, mail">
+<meta name="MSSmartTagsPreventParsing" content="TRUE">
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+<title>Fetchmail</title>
+</head>
+<body>
+<div id="Header">
+<table width="100%" cellpadding="0" summary="Canned page header">
+<tr>
+<td>Fetchmail</td>
+<td align="right"><!-- update date -->2010-02-05</td>
+</tr>
+</table>
+</div>
+
+<div id="Menu">
+ <hr>
+ <a href="index.html" title="Main">Main</a><br>
+ <a href="fetchmail-features.html">Features</a><br>
+ <a href="fetchmail-man.html">Manual</a><br>
+ <a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br>
+ <a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br>
+ <a href="design-notes.html">Design Notes</a><br>
+ <a href="http://developer.berlios.de/project/showfiles.php?group_id=1824">Download</a><br>
+ <a href="http://gitorious.org/fetchmail/fetchmail/">Development Code</a><br>
+ <a href="http://developer.berlios.de/projects/fetchmail/">Project Page</a><br>
+ <hr>
+</div>
+
+<div id="Content">
+
+ <h1>Fetchmail Security Information</h1>
+ <p>These security issues (listed immediately below) have become
+ known to the fetchmail maintainer to the date mentioned above. Note
+ that fetchmail 6.2.X and older are no longer supported and contain
+ some of the problems mentioned below, even if they aren't mentioned
+ in the security announcements:</p>
+ <ul>
+ <li>CVE-XXXX-XXXX: Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li>
+ <li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li>
+ <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
+ <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
+ <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
+</ul>
+
+<p style="font-size:100%"><strong>Please <a
+ href="http://developer.berlios.de/project/showfiles.php?group_id=1824">update
+ to the newest fetchmail version</a>.</strong></p>
+</div>
+</body>
+</html>