Topic: remote code injection vulnerability in fetchmail
Author: Matthias Andree
-Version: 1.03
+Version: 1.04
Announced: 2005-07-21
Type: buffer overrun/stack corruption/code injection
Impact: account or system compromise possible through malicious
(other versions have not been checked)
Not affected: fetchmail 6.2.5.2
- fetchmail 6.2.6-pre7
- fetchmail 6.3.0 (not released yet)
+ fetchmail 6.2.5.4
+ fetchmail 6.3.0
Older versions may not have THIS bug, but had been found
to contain other security-relevant bugs.
Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
2005-07-22 fetchmail-patch-6.2.5.2 released
2005-07-23 fetchmail-6.2.5.2 tarball released
+ 2005-11-13 fetchmail-6.2.5.4 tarball released
+ 2005-11-30 fetchmail-6.3.0 tarball released
0. Release history
- Add heise security URL.
- Mention release of 6.2.5.2 tarball.
2005-10-27 1.03 - Update CVE Name after CVE naming change
+2005-12-08 1.04 - Mention 6.2.5.4 and 6.3.0 releases "not affected"
+ - remove patch information
1. Background
5. Solution
-Upgrade your fetchmail package to version 6.2.5.2.
-
-You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz,
-or you can download a patch against fetchmail-6.2.5 if you already have
-the 6.2.5 tarball. Either is available from:
+Upgrade your fetchmail package to version 6.3.0 or newer.
<http://developer.berlios.de/project/showfiles.php?group_id=1824>
-To use the patch:
-
- 1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
- had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
- 2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
- 3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
- 4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
- 5. now configure and build as usual - detailed instructions in the file
- named "INSTALL".
-
A. References
fetchmail home page: <http://fetchmail.berlios.de/>
Topic: password exposure in fetchmailconf
Author: Matthias Andree
-Version: 1.02
+Version: 1.03
Announced: 2005-10-21
Type: insecure creation of file
Impact: passwords are written to a world-readable file
fetchmailconf 1.43.1 (shipped separately, now withdrawn)
(other versions have not been checked but are presumed affected)
-Not affected: fetchmail 6.2.9-rc6
- fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
- fetchmailconf 1.49 (shipped with 6.2.9-rc6)
- fetchmail 6.3.0 (not released yet)
+Not affected: fetchmailconf 1.43.2 (use this for fetchmail-6.2.5.2)
+ fetchmail 6.2.5.4
+ fetchmail 6.3.0
Corrected: 2005-09-28 01:14 UTC (SVN) - committed bugfix (r4351)
2005-10-21 - released fetchmailconf-1.43.2
- 2005-10-21 - released fetchmail 6.2.9-rc6
+ 2005-11-13 - released fetchmail 6.2.5.4
+ 2005-11-30 - released fetchmail 6.3.0
0. Release history
==================
- added Credits
2005-10-27 1.02 - reformatted section 0
- updated CVE Name to new naming scheme
+2005-12-08 1.03 - update version information and solution
1. Background
=============
4. Solution
===========
-For users of fetchmail-6.2.5.2:
--------------------------------
-Download fetchmailconf-1.43.2.gz from fetchmail's project site
-<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>,
-gunzip it, then replace your existing fetchmailconf with it.
-
-For users of fetchmail-6.2.6* or 6.2.9* before 6.2.9-rc6:
----------------------------------------------------------
-update to the latest fetchmail-devel package, 6.2.9-rc6 on 2005-10-21.
-<https://developer.berlios.de/project/showfiles.php?group_id=1824>
+Download and install fetchmail 6.3.0 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
A. References
=============
projects / ~andy / fetchmail / commitdiff