From 71afdc215eaa15ffc6e6ec7a60390bd2b66d84e7 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 29 Oct 2005 14:03:35 +0000 Subject: Clean up SECURITY FIXES section. svn path=/trunk/; revision=4371 --- NEWS | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index a794a196..bb06e1b0 100644 --- a/NEWS +++ b/NEWS @@ -9,15 +9,15 @@ Abbreviations: MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk) fetchmail 6.3.0 (not yet released officially): -# SECURITY FIX -* The POP3 UIDL code doesn't sufficiently validate/truncate the input +# SECURITY FIXES IN THIS RELEASE +* CVE-2005-2335: The POP3 UIDL code doesn't sufficiently validate/truncate the input length, so a (malicious or compromised) server that sends UIDs longer than 128 bytes can corrupt fetchmail's stack and crash fetchmail. This vulnerability is remotely exploitable to inject code run in a - root shell. This is tracked under the CVE Name: CAN-2005-2335 -* fetchmailconf now changes the output file to mode 0600 BEFORE writing to it, - so there is no window where passwords could be read by the world. - Matthias Andree. + root shell. Edward J. Shornock, Ludwig Nussel. fetchmail-SA-2005-01.txt +* CVE-2005-3088: fetchmailconf now changes the output file to mode 0600 BEFORE + writing to it, so there is no window where passwords could be read by the + world. Matthias Andree. fetchmail-SA-2005-02.txt # MAJOR INCOMPATIBLE CHANGES * Remove support for --netsec/-T options, the required inet6_apps library is no -- cgit v1.2.3