Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

fetchmail security announcement 2006-03 (CVE-2006-5974)

from [Matthias Andree] Network Security [Permanent Link]
Subject: fetchmail security announcement 2006-03 (CVE-2006-5974)
Date: Sat, 6 Jan 2007 00:06:21 +0100 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2006-03: crash when refusing message delivered through MDA

Topics:         fetchmail crashes when refusing a message bound for an MDA

Author:         Matthias Andree
Version:        1.0
Announced:      2007-01-04
Type:           denial of service
Impact:         fetchmail aborts prematurely
Danger:         low
Credits:        Neil Hoggarth (bug report and analysis)
CVE Name:       CVE-2006-5974
URL:            http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
Project URL:    http://fetchmail.berlios.de/

Affects:        fetchmail release = 6.3.5
                fetchmail release candidates 6.3.6-rc1, -rc2

Not affected:   fetchmail release 6.3.6

Corrected:      2006-11-14 fetchmail SVN


0. Release history
==================

2006-11-19 -    internal review draft
2007-01-04 1.0   ready for release


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.


2. Problem description and Impact
=================================

Fetchmail 6.3.5 and early 6.3.6 release candidates, when delivering
messages to a message delivery agent by means of the "mda" option, can
crash (by passing a NULL pointer to ferror() and fflush()) when refusing
a message. SMTP and LMTP delivery modes aren't affected.


3. Workaround
=============

Avoid the mda option and ship to a local SMTP or LMTP server instead.


4. Solution
===========

Download and install fetchmail 6.3.6 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.



A. Copyright, License and Warranty
==================================

(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2006-03.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFntntvmGDOQUufZURAicZAKCg2UcpAQ0Wot44RbXYLP082rEX5QCfUYxg
qPVbKSzqv4ZEgrimsGieYc8=
=JbTf
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • fetchmail security announcement 2006-03 (CVE-2006-5974), Matthias Andree <=
Previous by Date:  [Full-disclosure] iDefense Security Advisory 01.05.07: Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability, iDefense Labs
Next by Date:  fetchmail security announcement 2006-02 (CVE-2006-5867), Matthias Andree
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 01.05.07: Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability, iDefense Labs
Next by Thread:  fetchmail security announcement 2006-02 (CVE-2006-5867), Matthias Andree
Indexes:  [Date] [Thread] [Top] [All Lists]