X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2005-02.txt;h=d46275e2de654bc964703ec9c7975fac1ff0548a;hb=f6c7034fdbeb25d7d8eb0e62c0fe5de563eb7b55;hp=68131d638e24dfde60252bab683a3672ba838b6a;hpb=92fd7b20390af30051fc4bb87e222cf389948dd3;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2005-02.txt b/fetchmail-SA-2005-02.txt index 68131d63..d46275e2 100644 --- a/fetchmail-SA-2005-02.txt +++ b/fetchmail-SA-2005-02.txt @@ -1,16 +1,19 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2005-02: security announcement Topic: password exposure in fetchmailconf Author: Matthias Andree -Version: 1.01 +Version: 1.03 Announced: 2005-10-21 Type: insecure creation of file Impact: passwords are written to a world-readable file Danger: medium Credits: Thomas Wolff, Miloslav Trmac for pointing out that fetchmailconf 1.43.1 was also flawed -CVE Name: CAN-2005-3088 +CVE Name: CVE-2005-3088 URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt Affects: fetchmail version 6.2.5.2 @@ -20,21 +23,25 @@ Affects: fetchmail version 6.2.5.2 fetchmailconf 1.43.1 (shipped separately, now withdrawn) (other versions have not been checked but are presumed affected) -Not affected: fetchmail 6.2.9-rc6 - fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) - fetchmailconf 1.49 (shipped with 6.2.9-rc6) - fetchmail 6.3.0 (not released yet) +Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2) + fetchmail 6.2.5.4 + fetchmail 6.3.0 Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351) 2005-10-21 - released fetchmailconf-1.43.2 - 2005-10-21 - released fetchmail 6.2.9-rc6 + 2005-11-13 - released fetchmail 6.2.5.4 + 2005-11-30 - released fetchmail 6.3.0 0. Release history ================== -2005-10-21 1.00 (shipped with -rc6) -2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4, - added Credits) +2005-10-21 1.00 - initial version (shipped with -rc6) +2005-10-21 1.01 - marked 1.43.1 vulnerable + - revised section 4 + - added Credits +2005-10-27 1.02 - reformatted section 0 + - updated CVE Name to new naming scheme +2005-12-08 1.03 - update version information and solution 1. Background ============= @@ -65,16 +72,9 @@ fetchmailconf has finished, you can restore your old umask. 4. Solution =========== -For users of fetchmail-6.2.5.2: -------------------------------- -Download fetchmailconf-1.43.2.gz from fetchmail's project site -, -gunzip it, then replace your existing fetchmailconf with it. - -For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6: ---------------------------------------------------------- -update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21. - +Download and install fetchmail 6.3.0 or a newer stable release from +fetchmail's project site at +. A. References ============= @@ -87,13 +87,27 @@ B. Copyright, License and Warranty (C) Copyright 2005 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-02.txt +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy +4rgAn037UM4pEf7E94HZQOmGUR//pM6q +=q8j6 +-----END PGP SIGNATURE-----