head 1.5; access; symbols; locks; strict; comment @# @; 1.5 date 2005.12.03.12.19.41; author rse; state Exp; branches; next 1.4; commitid qqpAOapyuzxSmacr; 1.4 date 2005.12.03.11.50.04; author rse; state Exp; branches; next 1.3; commitid irQCXvyd7wvJcacr; 1.3 date 2004.04.08.15.21.06; author rse; state Exp; branches; next 1.2; 1.2 date 2004.04.08.15.19.31; author rse; state Exp; branches; next 1.1; 1.1 date 2004.04.08.12.25.36; author ms; state Exp; branches; next ; desc @@ 1.5 log @resign after latest adjustments @ text @-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@@openpkg.org openpkg@@openpkg.org OpenPKG-SA-2004.012 08-Apr-2004 ________________________________________________________________________ Package: fetchmail Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= fetchmail-6.2.4-20031008 >= fetchmail-6.2.5-20031016 OpenPKG 1.3 <= fetchmail-6.2.3-1.3.0 >= fetchmail-6.2.3-1.3.1 OpenPKG 2.0 none N.A. Dependent Packages: none Description: According to a Mandrake Linux security advisory [0], a denial of service (DoS) vulnerability exists in the header rewriting code of Fetchmail [1]. The code's intention is to hack message headers so replies work properly. However, logic in the reply_hack() function fails to allocate enough memory for long lines and may write past a memory boundary. This could allow an attacker to cause a denial of service by sending a specially crafted email and crashing fetchmail. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2003-0792 [2] to the problem. Please check whether you are affected by running "/bin/rpm -q fetchmail". If you have the "fetchmail" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). [3][4] Solution: Select the updated source RPM appropriate for your OpenPKG release [5], fetch it from the OpenPKG FTP service [6] or a mirror location, verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the OpenPKG 1.3 release, perform the following operations to permanently fix the security problem. $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get fetchmail-6.2.3-1.3.1.src.rpm ftp> bye $ /bin/rpm -v --checksig fetchmail-6.2.3-1.3.1.src.rpm $ /bin/rpm --rebuild fetchmail-6.2.3-1.3.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/fetchmail-6.2.3-1.3.1.*.rpm ________________________________________________________________________ References: [0] http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:101 [1] http://www.catb.org/~esr/fetchmail/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0792 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.3/UPD/fetchmail-6.2.3-1.3.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.3/UPD/ [7] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFDkYzrgHWT4GPEy58RAvPpAJ0fshaWM0/0hi3Mm6niBdcTYwO3VgCeMKKd JUYI04y8RM9KVM9fzDX9uHs= =Dlpa -----END PGP SIGNATURE----- @ 1.4 log @switch to newer world order of CVE instead of CAN and where no more solution hints are specified in detail and anybody should already memorize this standard text @ text @d79 3 a81 3 iD8DBQFAdW3RgHWT4GPEy58RAutIAKDLPwHQnlNAhlQmCi1XYEYQryqyCACgn30q IYKyk6HlwUhG0JOiI615w90= =muqI @ 1.3 log @release OpenPKG Security Advisory 2004.012 (fetchmail) @ text @d32 1 a32 1 CAN-2003-0792 [2] to the problem. d61 1 a61 1 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0792 @ 1.2 log @final cleanups, fixes and par(1) formatting @ text @d1 3 d76 7 @ 1.1 log @first draft OpenPKG-SA-2004.012-fetchmail (CAN-2003-0792), to accompany update package fetchmail-6.2.3-1.3.1.src.rpm @ text @d13 4 a16 3 Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= fetchmail-6.2.4-20031008 >= fetchmail-6.2.5-20031016 OpenPKG 1.3 <= fetchmail-6.2.3-1.3.0 >= fetchmail-6.2.3-1.3.1 d21 9 a29 11 According to Mandrake security advisory MDKSA-2003:101 [0], a denial of service vulnerability exists in the header rewriting code of fetchmail [1]. The code's intention is to hack message headers so replies work properly. However, logic in the reply_hack function fails to allocate enough memory for long lines and may write past a memory boundary. This could allow an attacker to cause a denial of service by sending a specially crafted email and crashing fetchmail. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0792 [2] to the problem. d39 3 a41 3 verify its integrity [7], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the OpenPKG 1.3 release, perform the following operations to d49 2 a50 2 $ /bin/openpkg rpm -v --checksig fetchmail-6.2.3-1.3.1.src.rpm $ /bin/openpkg rpm --rebuild fetchmail-6.2.3-1.3.1.src.rpm d52 1 a52 1 # /bin/openpkg rpm -Fvh /RPM/PKG/fetchmail-6.2.3-1.3.1.*.rpm d57 1 a57 1 [2] http://www.catb.org/~esr/fetchmail/ d61 1 a61 1 [5] ftp://ftp.openpkg.org/release/1.3/UPD/foo-1.2.3-1.3.1.src.rpm @