Fedora Legacy Test Update Notification: fetchmail

Marc Deslauriers marcdeslauriers at videotron.ca
Wed Mar 29 00:39:03 UTC 2006


---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-164512
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164512
2006-03-28
---------------------------------------------------------------------

Name        : fetchmail
Versions    : rh73: fetchmail-5.9.0-21.7.3.2.legacy
Versions    : rh9: fetchmail-6.2.0-3.4.legacy
Versions    : fc1: fetchmail-6.2.0-8.2.legacy
Versions    : fc2: fetchmail-6.2.5-2.2.legacy
Summary     : A remote mail retrieval and forwarding utility.
Description :
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

---------------------------------------------------------------------
Update Information:

Updated fetchmail packages that fix security flaws are now available.

Fetchmail is a remote mail retrieval and forwarding utility.

A bug was found in the way fetchmail allocates memory for long lines. A
remote attacker could cause a denial of service by sending a specially-
crafted email. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2003-0792 to this issue.

A buffer overflow was discovered in fetchmail's POP3 client. A malicious
server could cause send a carefully crafted message UID and cause
fetchmail to crash or potentially execute arbitrary code as the user
running fetchmail. The Common Vulnerabilities and Exposures project
assigned the name CAN-2005-2335 to this issue.

A bug was found in the way the fetchmailconf utility program writes
configuration files. The default behavior of fetchmailconf is to write a
configuration file which may be world readable for a short period of
time. This configuration file could provide passwords to a local
malicious attacker within the short window before fetchmailconf sets
secure permissions. The Common Vulnerabilities and Exposures project has
assigned the name CVE-2005-3088 to this issue.

A bug was found when fetchmail is running in multidrop mode. A malicious
mail server can cause a denial of service by sending a message without
headers. The Common Vulnerabilities and Exposures project has assigned
the name CVE-2005-4348 to this issue.

Users of fetchmail should update to this erratum package which contains
backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Sat Mar 11 2006 Donald Maner <donjr at maner.org> 6.2.0-3.2.legacy
- add patch for CAN-2003-0792 (#164512)
- add patch for CAN-2005-4348 (#164512)
- add patch for CAN-2005-3088 from RHEL 2.1 (#164512)

* Thu Jul 28 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 5.9.0-21.7.3.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

rh9:
* Thu Mar 23 2006 Marc Deslauriers <marcdeslauriers at videotron.ca>
6.2.0-3.4.legacy
- Added missing e2fsprogs-devel to BuildPrereq

* Sat Mar 11 2006 Donald Maner <donjr at maner.org> 6.2.0-3.2.legacy
- add patch for CAN-2003-0792 (#164512)
- add patch for CAN-2005-3088 (#164512)

* Thu Jul 28 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 6.2.0-3.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

fc1:
* Sun Mar 12 2006 Donald Maner <donjr at maner.org> 6.2.0-8.2.legacy
- add patch for CAN-2005-3088 (#164512)
- add patch for CAN-2005-2355 (#164512)

* Thu Jul 28 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 6.2.0-8.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

fc2:
* Sun Mar 12 2006 Donald Maner <donjr at maner.org> 6.2.5-2.2.legacy
- add patch for crash on empty message - CVE-2005-4348 (#164512)
- add patch for CAN-2005-3088 (#164512)

* Thu Jul 28 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 6.2.5-2.1.legacy
- add patch for POP3 buffer overflow - CAN-2005-2355 (#164512)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
8b49bca60dc8bcbba7634b8e0559c82fbeef3db5
redhat/7.3/updates-testing/i386/fetchmail-5.9.0-21.7.3.2.legacy.i386.rpm
9c9c861757b4b8b2866f1d0e91dbc16d5037d956
redhat/7.3/updates-testing/i386/fetchmailconf-5.9.0-21.7.3.2.legacy.i386.rpm
9cca4f274cb21928d459ed25883e5d3c1f758f10
redhat/7.3/updates-testing/SRPMS/fetchmail-5.9.0-21.7.3.2.legacy.src.rpm

rh9:
0fd22e51f83aab97d8c1790ed95423882f01aa9b
redhat/9/updates-testing/i386/fetchmail-6.2.0-3.4.legacy.i386.rpm
7d2eb582d0aba96e07710eb89cd8c4c41c4530d3
redhat/9/updates-testing/SRPMS/fetchmail-6.2.0-3.4.legacy.src.rpm

fc1:
5df158a0ba6bb0c323a75464e04b11e246dd8f98
fedora/1/updates-testing/i386/fetchmail-6.2.0-8.2.legacy.i386.rpm
927ed2783b8b4a29d0669e7936c1d27fd05564eb
fedora/1/updates-testing/SRPMS/fetchmail-6.2.0-8.2.legacy.src.rpm

fc2:
418f533e86f4c04a5fc41235b0618db470a63471
fedora/2/updates-testing/i386/fetchmail-6.2.5-2.2.legacy.i386.rpm
d5a948f76f51032c05ab44b0ca7e47e36f7e4042
fedora/2/updates-testing/SRPMS/fetchmail-6.2.5-2.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060328/98091878/attachment.sig>


More information about the fedora-legacy-list mailing list