|
Notes:
Users are advised to download the current fetchmail-devel release candidates (6.2.9-rc7) instead of this package. The release candidates fix lots of bugs that remain unfixed in 6.2.5.2.
Update 2005-11-03: there is now patch-6.2.5.2.1-imap-timeout.diff that fixes Debian Bug#314509, to be applied on top of 6.2.5.2.
Update 2005-10-21: replace your existing fetchmailconf by fetchmailconf-1.43.2.gz after you gunzipped it. This new fetchmailconf version fixes a password exposure bug (CVE-2005-3088).
This is a band-aid emergency release to fix the remote code injection vulnerability (possibly root), CVE-2005-2335.
Note: The documentation does not fully reflect all changes to maintainership, site and so on, see the README file for details.
fetchmail-patch-6.2.5.2 has been diff-ed against the vanilla fetchmail-6.2.5 tarball, it does not update any URLs to conserve space, but it does fix CVE-2005-2335.
Changes:
- README: Added a note about release status - READ IT!
- Note: Due to a Makefile.in bug, you may need to use GNU make.
- SECURITY FIX: truncate UIDL replies, lest malicious or compromised
POP3 servers overflow fetchmail's stack. Debian bug #212762.
This is a remote root exploit. CVE Name: CAN-2005-2335.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
- Critical fix: omit blank between MAIL FROM: and ,
as this causes mail loss with some listeners.
- Fix: POP2 driver wouldn't properly check authentication failure.
- Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
|
