From klieber@gentoo.org Sat Apr 3 01:12:58 2004 From: Kurt Lieber To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, alerts@linuxsecurity.com Date: Wed, 31 Mar 2004 02:48:47 -0500 Subject: [ GLSA 200403-10 ] Fetchmail 6.2.5 fixes a remote DoS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200403-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Fetchmail 6.2.5 fixes a remote DoS Date: March 30, 2004 Bugs: #37717 ID: 200403-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Fetchmail versions 6.2.4 and earlier can be crashed by sending a specially-crafted email to a fetchmail user. Background ========== Fetchmail is a utility that retrieves and forwards mail from remote systems using IMAP, POP, and other protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- net-mail/fetchmail <= 6.2.4 >= 6.2.5 Description =========== Fetchmail versions 6.2.4 and earlier can be crashed by sending a specially-crafted email to a fetchmail user. This problem occurs because Fetchmail does not properly allocate memory for long lines in an incoming email. Impact ====== Fetchmail users who receive a malicious email may have their fetchmail program crash. Workaround ========== While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected package. Resolution ========== Fetchmail users should upgrade to version 6.2.5 or later: # emerge sync # emerge -pv ">=net-mail/fetchmail-6.2.5" # emerge ">=net-mail/fetchmail-6.2.5" References ========== [ 1 ] http://xforce.iss.net/xforce/xfdb/13450 [ 2 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0792 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. [ Part 2, Application/PGP-SIGNATURE 196bytes. ] [ Unable to print this part. ]