[pkg-fetchmail-maint] Bug#336096: fixed in fetchmail 6.2.5.4-1

Tue Nov 15 19:43:03 UTC 2005

reopen 336096
tags 336096 + sarge
retitle 336096 [sarge] CVE-2005-3088 - password exposure in fetchmailconf
tags 336096 + pending
thanks

On mar, nov 15, 2005, Loic Minier wrote:
> Source: fetchmail
> Source-Version: 6.2.5.4-1
> 
> We believe that the bug you reported is fixed in the latest version of
> fetchmail, which is due to be installed in the Debian FTP archive:
> 
> fetchmail-ssl_6.2.5.4-1_all.deb
>   to pool/main/f/fetchmail/fetchmail-ssl_6.2.5.4-1_all.deb
> fetchmail_6.2.5.4-1.diff.gz
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.diff.gz
> fetchmail_6.2.5.4-1.dsc
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.dsc
> fetchmail_6.2.5.4-1_i386.deb
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1_i386.deb
> fetchmail_6.2.5.4.orig.tar.gz
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4.orig.tar.gz
> fetchmailconf_6.2.5.4-1_all.deb
>   to pool/main/f/fetchmail/fetchmailconf_6.2.5.4-1_all.deb
> 
> 
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 336096 at bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Loic Minier <lool at dooz.org> (supplier of updated fetchmail package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster at debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Format: 1.7
> Date: Tue, 15 Nov 2005 18:53:37 +0100
> Source: fetchmail
> Binary: fetchmailconf fetchmail-ssl fetchmail
> Architecture: source i386 all
> Version: 6.2.5.4-1
> Distribution: unstable
> Urgency: high
> Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint at lists.alioth.debian.org>
> Changed-By: Loic Minier <lool at dooz.org>
> Description: 
>  fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
>  fetchmail-ssl - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
>  fetchmailconf - fetchmail configurator
> Closes: 288063 314509 321272 323637 330522 336096
> Changes: 
>  fetchmail (6.2.5.4-1) unstable; urgency=high
>  .
>    [ Lucas Wall ]
>      - pidfile checking in init.d script (closes: #323637).
>  .
>    [ Nico Golde ]
>      - Only create fetchmail user if it doesn't exist (closes: #330522,#321272).
>      - respect the permissions of fetchmail home.
>      - rebuild against latest openssl version.
>      - removed deletion of /etc/fetchmailrc,
>        see statement in BTS. (closes: #288063).
>      - adjusted legal notes (Thanks Marc Brockschmidt for the hint).
>  .
>    [ Loic Minier ]
>    * New upstream stable releases.
>      - Fix password exposure in fetchmailconf: use umask 077 before opening
>        output file and restore umask later. (Closes: #336096)
>        This is CVE-2005-3088.
>      - Drop 01pop3sec.dpatch, included upstream.
>      - Fix IMAP timeouts, counting message count down on servers that do not
>        send EXISTS counts after EXPUNGE. (Closes: #314509)
>      - Unlist spanish translation patch for now, as the spanish translation was
>        completely destroyed upstream.
>    * Add myself to Uploaders.
> Files: 
>  6e5f306aed047dc28e87bf7651357ebe 858 mail optional fetchmail_6.2.5.4-1.dsc
>  16af4db00e200445a55e6f7a9a267649 1275624 mail optional fetchmail_6.2.5.4.orig.tar.gz
>  5b6d534009350e90a5fd0cfa432cf30e 79388 mail optional fetchmail_6.2.5.4-1.diff.gz
>  93f0fb1c89dc716a7f28c874535faabf 104398 mail optional fetchmailconf_6.2.5.4-1_all.deb
>  48c68a538716d9ab63db700f15f0dd1a 45070 mail optional fetchmail-ssl_6.2.5.4-1_all.deb
>  68e50437e01725fccee667763ac2573e 290118 mail optional fetchmail_6.2.5.4-1_i386.deb
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> 
> iD8DBQFDeiIJ4VUX8isJIMARAtgNAJoDdUQpIE08bCigJ/8jSW8TT1rh7wCfYCDb
> SIKaKIeMQQ9TUY+Y0GKzY/Y=
> =uedC
> -----END PGP SIGNATURE-----
> 
> 
> 

-- 
Loïc Minier <lool at dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"