X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2005-01.txt;h=754e6dc0545f4b9b816b38fac9b3aee95893770a;hb=f16d8d23439b5569f0c2e1af22494708b507f277;hp=753234e2ada5e1b7f4214f2117b05019bd05dc3e;hpb=2839204e8160dc13d57e861fe0374410cebd3de2;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2005-01.txt b/fetchmail-SA-2005-01.txt index 753234e2..754e6dc0 100644 --- a/fetchmail-SA-2005-01.txt +++ b/fetchmail-SA-2005-01.txt @@ -1,9 +1,12 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2005-01: security announcement Topic: remote code injection vulnerability in fetchmail Author: Matthias Andree -Version: 1.03 +Version: 1.04 Announced: 2005-07-21 Type: buffer overrun/stack corruption/code injection Impact: account or system compromise possible through malicious @@ -29,8 +32,8 @@ Affects: fetchmail version 6.2.5.1 (denial of service) (other versions have not been checked) Not affected: fetchmail 6.2.5.2 - fetchmail 6.2.6-pre7 - fetchmail 6.3.0 (not released yet) + fetchmail 6.2.5.4 + fetchmail 6.3.0 Older versions may not have THIS bug, but had been found to contain other security-relevant bugs. @@ -38,6 +41,8 @@ Not affected: fetchmail 6.2.5.2 Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157) 2005-07-22 fetchmail-patch-6.2.5.2 released 2005-07-23 fetchmail-6.2.5.2 tarball released + 2005-11-13 fetchmail-6.2.5.4 tarball released + 2005-11-30 fetchmail-6.3.0 tarball released 0. Release history @@ -56,6 +61,8 @@ Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157) - Add heise security URL. - Mention release of 6.2.5.2 tarball. 2005-10-27 1.03 - Update CVE Name after CVE naming change +2005-12-08 1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected" + - remove patch information 1. Background @@ -94,24 +101,10 @@ No reasonable workaround can be offered at this time. 5. Solution -Upgrade your fetchmail package to version 6.2.5.2. - -You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz, -or you can download a patch against fetchmail-6.2.5 if you already have -the 6.2.5 tarball. Either is available from: +Upgrade your fetchmail package to version 6.3.0 or newer. -To use the patch: - - 1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already - had downloaded) and fetchmail-patch-6.2.5.2.tar.gz - 2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf - - 3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz - 4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2 - 5. now configure and build as usual - detailed instructions in the file - named "INSTALL". - A. References fetchmail home page: @@ -121,13 +114,27 @@ B. Copyright, License and Warranty (C) Copyright 2005 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-01.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVgGgCfer/s64xaU71GiAQ6bpu5Lrei +ysgAnj2MQhFOxIzzw7V9qyp095NotaOO +=uLfy +-----END PGP SIGNATURE-----