From 426f2178ed497b2156aa053639bd7ffc1b2f4948 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 27 Nov 2008 12:39:58 +0000 Subject: Provide Security Alerts as a list, add intro, update solution. svn path=/branches/BRANCH_6-3/; revision=5253 --- website/index.html | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'website/index.html') diff --git a/website/index.html b/website/index.html index 6d51ee7c..0405f755 100644 --- a/website/index.html +++ b/website/index.html @@ -64,17 +64,24 @@ href="http://mandree.home.pages.de/fetchmail/">fetchmail-6.3.6-rc5 was released<

SECURITY ALERTS

-

CVE-2008-2711: Fetchmail can crash in verbose mode when logging long message headers. This bug will be fixed in release 6.3.9. For the nonce, use the patch contained in the security announcement.

-

CVE-2007-4565: Fetchmail can crash when the SMTP server refuses a warning message generated by fetchmail. This bug was introduced in fetchmail 4.6.8 and will be fixed in release 6.3.9. For the nonce, use the patch contained in this security announcement.

-

CVE-2007-1558: Fetchmail's APOP client was found to validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be. This bug was long-standing, fetchmail 6.3.8 validates the APOP challenge stricter.

-

CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.

-

CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.

-

CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.

-

CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.

-

CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.

-

CVE-2005-2335: Fetchmail was found to contain a remotely exploitable code injection vulnerability (potentially privileged code) in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)

- -

Please update to fetchmail version 6.3.8 and apply the two patches from the security announcements CVE-2007-4565 and CVE-2008-2711 above.

+

These security issues (listed immediately below) have become + known to the fetchmail maintainer to the date mentioned above. Note + that fetchmail 6.2.X and older are no longer supported and contain + some of the problems mentioned below, even if they aren't mentioned + in the security announcements:

+ + +

Please update to fetchmail version 6.3.9.

-- cgit v1.2.3