+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2005-02: security announcement
Topic: password exposure in fetchmailconf
Author: Matthias Andree
-Version: 1.01
+Version: 1.03
Announced: 2005-10-21
Type: insecure creation of file
Impact: passwords are written to a world-readable file
Danger: medium
Credits: Thomas Wolff, Miloslav Trmac for pointing out
that fetchmailconf 1.43.1 was also flawed
-CVE Name: CAN-2005-3088
+CVE Name: CVE-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmailconf 1.43.1 (shipped separately, now withdrawn)
(other versions have not been checked but are presumed affected)
-Not affected: fetchmail 6.2.9-rc6
- fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
- fetchmailconf 1.49 (shipped with 6.2.9-rc6)
- fetchmail 6.3.0 (not released yet)
+Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
+ fetchmail 6.2.5.4
+ fetchmail 6.3.0
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
2005-10-21 - released fetchmailconf-1.43.2
- 2005-10-21 - released fetchmail 6.2.9-rc6
+ 2005-11-13 - released fetchmail 6.2.5.4
+ 2005-11-30 - released fetchmail 6.3.0
0. Release history
==================
-2005-10-21 1.00 (shipped with -rc6)
-2005-10-21 1.01 (marked 1.43.1 vulnerable, revised section 4,
- added Credits)
+2005-10-21 1.00 - initial version (shipped with -rc6)
+2005-10-21 1.01 - marked 1.43.1 vulnerable
+ - revised section 4
+ - added Credits
+2005-10-27 1.02 - reformatted section 0
+ - updated CVE Name to new naming scheme
+2005-12-08 1.03 - update version information and solution
1. Background
=============
4. Solution
===========
-For users of fetchmail-6.2.5.2:
--------------------------------
-Download fetchmailconf-1.43.2.gz from fetchmail's project site
-<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
-gunzip it, then replace your existing fetchmailconf with it.
-
-For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:
----------------------------------------------------------
-update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
-<https://developer.berlios.de/project/showfiles.php?group_id=1824>
+Download and install fetchmail 6.3.0 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
A. References
=============
(C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-NonCommercial-NoDerivs German License. To view a copy of
-this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
-or send a letter to Creative Commons; 559 Nathan Abbott Way;
-Stanford, California 94305; USA.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+
+Creative Commons
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
+USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END OF fetchmail-SA-2005-02.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy
+4rgAn037UM4pEf7E94HZQOmGUR//pM6q
+=q8j6
+-----END PGP SIGNATURE-----