From 7abc9f46c5cd759ac37d3e0ff442c9aa555e74e0 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 19 Dec 2005 10:41:26 +0000 Subject: Add fetchmail-SA-2005-03.txt. svn path=/branches/BRANCH_6-3/; revision=4577 --- Makefile.am | 3 +- fetchmail-SA-2005-03.txt | 113 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 fetchmail-SA-2005-03.txt diff --git a/Makefile.am b/Makefile.am index 2d234b77..dc0c365f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -101,7 +101,8 @@ DISTDOCS= BUGS FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ README.packaging \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ fetchmail-SA-2005-01.txt \ - fetchmail-SA-2005-02.txt + fetchmail-SA-2005-02.txt \ + fetchmail-SA-2005-03.txt # extra directories to ship distdirs = rh-config contrib beos diff --git a/fetchmail-SA-2005-03.txt b/fetchmail-SA-2005-03.txt new file mode 100644 index 00000000..f8fb3448 --- /dev/null +++ b/fetchmail-SA-2005-03.txt @@ -0,0 +1,113 @@ +fetchmail-SA-2005-03: security announcement + +Topics: #1 crash retrieving headerless message in multidrop mode + #2 fetchmail 6.2.5.X end of life + +Author: Matthias Andree +Version: 1.00 +Announced: 2005-12-19 +Type: null pointer dereference +Impact: fetchmail crashes +Danger: low +Credits: Daniel Drake, Gentoo (bug report) + Sunil Shetye (bug fix) +CVE Name: CVE-2005-4348 +URL: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt + http://article.gmane.org/gmane.mail.fetchmail.user/7573 + http://bugs.debian.org/343836 +Project URL: http://fetchmail.berlios.de/ + +Affects: fetchmail version 6.2.5.4 + fetchmail version 6.3.0 + +Not affected: fetchmail 6.3.1 + fetchmail 6.2.5.5 + other versions not mentioned here or in the previous + sections have not been checked + +Corrected: 2005-12-19 - released fetchmail 6.3.1 + 2005-12-18 - released fetchmail 6.3.1-rc1 + 2005-12-19 - released fetchmail 6.2.5.5 + + +0. Release history +================== + +2005-12-19 1.00 - initial version + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +Fetchmail contains a bug that causes an application crash when fetchmail +is configured for multidrop mode and the upstream mail server sends a +message without headers. As fetchmail does not record this message as +"previously fetched", it will crash with the same message if it is +re-executed, so it cannot make progress. A malicious or broken-into +upstream server could thus cause a denial of service in fetchmail +clients. + +Note that such messages are not RFC-822 conformant, so if the server has +not been tampered with, the server software is faulty. + + +3. Workaround +============= + +Where possible, singledrop mode may be an alternative. + +For sites, where multidrop mode is required, no workaround is known. + + +4. Solution +=========== + +Download and install fetchmail 6.3.1 or a newer stable release from +fetchmail's project site at +. + +The fix has also been backported to the 6.2.5.5 legacy release which is +available from the same site. + +Note however that 6.3.X has very few incompatible changes since 6.2.5.X +so 6.3.X should be viable for most sites. It is therefore recommended +that every user and distributor upgrade to 6.3.1 or newer. + + +5. End of life announcement +=========================== + +The fetchmail 6.2.5.X branch will be discontinued early in 2006. + +The new 6.3.X stable branch has been available since 2005-11-30 +and will not change except for bugfixes, documentation and translations. + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2005 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END OF fetchmail-SA-2005-03.txt -- cgit v1.2.3