Bug#345944: [pkg-fetchmail-maint] Bug#345944: CVE-2005-4348 USN-233-1
fetchmail vulnerability
Matthias Andree
matthias.andree at gmx.de
Wed Jan 4 18:07:06 UTC 2006
merge 345944 343836
thanks
This is a duplicate of Bug#343836, merging.
Loïc Minier wrote:
> Ubuntu released an updated fetchmail package for CVE-2005-4348
> (attached).
and forwareded:
> ===========================================================
> Ubuntu Security Notice USN-233-1 January 02, 2006
> fetchmail vulnerability
> CVE-2005-4348
> ===========================================================
>
> [...]
>
> Details follow:
>
> Steve Fosdick discovered a remote Denial of Service vulnerability in
> fetchmail. When using fetchmail in 'multidrop' mode, a malicious email
> server could cause a crash by sending an email without any headers.
> Since fetchmail is commonly called automatically (with cron, for
> example), this crash could go unnoticed.
This is misattributed:
Daniel Drake (Gentoo) had publicly reported the issue on December 5 already,
<http://lists.ccil.org/pipermail/fetchmail-friends/2005-December/009880.html>,
two weeks before Steve Fosdick did.
At that time, a different fix had already been in the upstream fetchmail
CVS, which was in pretest phase for the 6.3.1 release that was released
one day after Steve's report.
The patch that was committed /upstream/ was a variant of
<http://lists.berlios.de/pipermail/fetchmail-devel/2005-December/000585.html>
that left the curly braces in fetchmail. It may not qualify as the
minimum fix though.
--
Matthias Andree
More information about the pkg-fetchmail-maint
mailing list