From dbb3ce17820b05b993ca1f85e62ec303290ba7e8 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 20 Apr 2010 10:10:31 +0200 Subject: Add CVE name. Fix Type: (spotted by Florian Weimer.) --- NEWS | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index 009dccea..13e4ccea 100644 --- a/NEWS +++ b/NEWS @@ -55,12 +55,13 @@ removed from a 6.4.0 or newer release.) fetchmail-6.3.17 (not yet released): # SECURITY FIX -* Fetchmail before release 6.3.17 did not properly sanitize external input - (mail headers and UID). When a multi-character locale (such as UTF-8) was in use, - this could cause memory exhaustion and thus a denial of service, because - fetchmail's report.c functions assumed that non-success of [v]snprintf was - due to insufficient buffer size allocation. It would then repeatedly reallocate - a larger buffer and fail formatting again. See fetchmail-SA-2010-02.txt. +* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize + external input (mail headers and UID). When a multi-character locale (such as + UTF-8) was in use, this could cause memory exhaustion and thus a denial of + service, because fetchmail's report.c functions assumed that non-success of + [v]snprintf was due to insufficient buffer size allocation. It would then + repeatedly reallocate a larger buffer and fail formatting again. + See fetchmail-SA-2010-02.txt. # FEATURES * Fetchmail now supports a --sslcertfile option to specify a "CA bundle" -- cgit v1.2.3