X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2005-01.txt;h=754e6dc0545f4b9b816b38fac9b3aee95893770a;hb=cb8d898683ffccdf8de42a5b1236a6cf3cdbb6ce;hp=4a76a74e6e3e2c4cb11c3fa2eeb60c43f30d91a0;hpb=af18c5a62dff6a75ef77f8154d706596ebadd006;p=~andy%2Ffetchmail

diff --git a/fetchmail-SA-2005-01.txt b/fetchmail-SA-2005-01.txt
index 4a76a74e..754e6dc0 100644
--- a/fetchmail-SA-2005-01.txt
+++ b/fetchmail-SA-2005-01.txt
@@ -1,23 +1,30 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 fetchmail-SA-2005-01: security announcement
 
 Topic:		remote code injection vulnerability in fetchmail
 
 Author:		Matthias Andree
-Version:	1.01
+Version:	1.04
 Announced:	2005-07-21
 Type:		buffer overrun/stack corruption/code injection
 Impact:		account or system compromise possible through malicious
 		or compromised POP3 servers
 Danger:		high: in sensitive configurations, a full system
 		compromise is possible
-CVE Name:	CAN-2005-2335
+		(for 6.2.5.1: denial of service for the whole fetchmail
+		system is possible)
+CVE Name:	CVE-2005-2335
 URL:		http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
 		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
 		http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
+		http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
 		http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
+		http://www.heise.de/security/news/meldung/62070
 Thanks:		Edward J. Shornock (located the bug in UIDL code)
 		Miloslav Trmac (pointed out 6.2.5.1 was faulty)
-		Ludwig Nussel (provided minimal fix)
+		Ludwig Nussel (provided minimal correct fix)
 
 Affects:	fetchmail version 6.2.5.1 (denial of service)
 		fetchmail version 6.2.5 (code injection)
@@ -25,14 +32,17 @@ Affects:	fetchmail version 6.2.5.1 (denial of service)
 		(other versions have not been checked)
 
 Not affected:	fetchmail 6.2.5.2
-		fetchmail 6.2.6-pre6
-		fetchmail 6.3.0      (not released yet)
+		fetchmail 6.2.5.4
+		fetchmail 6.3.0
 
 		Older versions may not have THIS bug, but had been found
 		to contain other security-relevant bugs.
 
 Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
 		2005-07-22                   fetchmail-patch-6.2.5.2 released
+		2005-07-23                   fetchmail-6.2.5.2 tarball released
+		2005-11-13                   fetchmail-6.2.5.4 tarball released
+		2005-11-30                   fetchmail-6.3.0 tarball released
 
 0. Release history
 
@@ -40,11 +50,19 @@ Corrected:	2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
 2005-07-22	1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
 		       and susceptible to denial of service through
 		       single-byte read from 0 when either a Message-ID:
-		       header was empty or the UIDL response did not
-		       contain an URL.
+		       header was empty (in violation of RFC-822/2822)
+		       or the UIDL response did not contain an UID (in
+		       violation of RFC-1939).
 		     - Add Credits.
 		     - Add 6.2.5.1 failure details to sections 2 and 3
 		     - Revise section 5 and B.
+2005-07-26	1.02 - Revise section 0.
+		     - Add FreeBSD VuXML URL for 6.2.5.1.
+		     - Add heise security URL.
+		     - Mention release of 6.2.5.2 tarball.
+2005-10-27	1.03 - Update CVE Name after CVE naming change
+2005-12-08	1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected"
+		     - remove patch information
 
 1. Background
 
@@ -83,23 +101,10 @@ No reasonable workaround can be offered at this time.
 
 5. Solution
 
-Upgrade your fetchmail package to version 6.2.5.2.
-
-This requires the download of the fetchmail-6.2.5.tar.gz tarball and the
-fetchmail-patch-6.2.5.2.gz from BerliOS:
+Upgrade your fetchmail package to version 6.3.0 or newer.
 
 <http://developer.berlios.de/project/showfiles.php?group_id=1824>
 
-To use the patch:
-
-  1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
-     had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
-  2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
-  3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
-  4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
-  5. now configure and build as usual - detailed instructions in the file
-     named "INSTALL".
-
 A. References
 
 fetchmail home page: <http://fetchmail.berlios.de/>
@@ -109,13 +114,27 @@ B. Copyright, License and Warranty
 (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
 Some rights reserved.
 
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
 
 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
 Use the information herein at your own risk.
 
 END OF fetchmail-SA-2005-01.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVgGgCfer/s64xaU71GiAQ6bpu5Lrei
+ysgAnj2MQhFOxIzzw7V9qyp095NotaOO
+=uLfy
+-----END PGP SIGNATURE-----