CVE-2007-4565: Denial of Service attack in Fetchmail

Debian Bug report logs - #440006
CVE-2007-4565: Denial of Service attack in Fetchmail

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-4565: Denial of Service attack in Fetchmail

Date: Wed, 29 Aug 2007 08:51:30 +0200

[Message part 1 (text/plain, inline)]

Package: fetchmail
Severity: important
Tags: security

Hi!

A DoS attack in fetchmail has been publicised:

> fetchmail before 6.3.9 allows context-dependent attackers to cause a denial
> of service (NULL dereference and application crash) by refusing certain
> warning messages that are sent over SMTP.

This upstream URL has details and references which commit fixes it:
http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/fetchmail-SA-2007-02.txt

Please update your package, and mention CVE-2007-4565 in your changelog. It 
would be good if you could assess the severity of this attack in the light of 
updating stable/oldstable.


thanks
Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 440006-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 440006-close@bugs.debian.org

Subject: Bug#440006: fixed in fetchmail 6.3.8-8

Date: Wed, 29 Aug 2007 10:47:03 +0000

Source: fetchmail
Source-Version: 6.3.8-8

We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive:

fetchmail_6.3.8-8.diff.gz
  to pool/main/f/fetchmail/fetchmail_6.3.8-8.diff.gz
fetchmail_6.3.8-8.dsc
  to pool/main/f/fetchmail/fetchmail_6.3.8-8.dsc
fetchmail_6.3.8-8_i386.deb
  to pool/main/f/fetchmail/fetchmail_6.3.8-8_i386.deb
fetchmailconf_6.3.8-8_all.deb
  to pool/main/f/fetchmail/fetchmailconf_6.3.8-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 440006@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated fetchmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 29 Aug 2007 12:05:09 +0200
Source: fetchmail
Binary: fetchmailconf fetchmail
Architecture: source i386 all
Version: 6.3.8-8
Distribution: unstable
Urgency: high
Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
 fetchmailconf - fetchmail configurator
Closes: 440006
Changes: 
 fetchmail (6.3.8-8) unstable; urgency=high
 .
   * Including fix_CVE-2007-4565_DoS patch to fix
     Denial of Service vulnerability in sink.c
     (CVE-2007-4565) (Closes: #440006).
   * Fixed fetchmailconf menu sections.
Files: 
 1e55b40a6bc8200865add56c8ad3a39b 893 mail optional fetchmail_6.3.8-8.dsc
 96ff0c702f403d429ef9e2c77d0435f9 62698 mail optional fetchmail_6.3.8-8.diff.gz
 a9435a6e2a140277994ef9b339babd7d 61918 mail optional fetchmailconf_6.3.8-8_all.deb
 525f2ebddd11feb0d01f2ab8a7f1ca85 653832 mail optional fetchmail_6.3.8-8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1UqOHYflSXNkfP8RAsluAJ4x+QUmAaHVGPwYF8eYIHKHbS7FXgCdEEIY
3MFhONOkXnKAdCdumWyymLw=
=dOOE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.