Debian Bug report logs -
#440006
CVE-2007-4565: Denial of Service attack in Fetchmail
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 29 Aug 2007 07:00:01 UTC
Severity: important
Tags: security
Found in version fetchmail/6.3.6-1
Fixed in version fetchmail/6.3.8-8
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
:
Bug#440006
; Package fetchmail
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: fetchmail
Severity: important
Tags: security
Hi!
A DoS attack in fetchmail has been publicised:
> fetchmail before 6.3.9 allows context-dependent attackers to cause a denial
> of service (NULL dereference and application crash) by refusing certain
> warning messages that are sent over SMTP.
This upstream URL has details and references which commit fixes it:
http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/fetchmail-SA-2007-02.txt
Please update your package, and mention CVE-2007-4565 in your changelog. It
would be good if you could assess the severity of this attack in the light of
updating stable/oldstable.
thanks
Thijs
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 6.3.6-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Wed, 29 Aug 2007 10:39:08 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 440006-close@bugs.debian.org (full text, mbox, reply):
Source: fetchmail
Source-Version: 6.3.8-8
We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive:
fetchmail_6.3.8-8.diff.gz
to pool/main/f/fetchmail/fetchmail_6.3.8-8.diff.gz
fetchmail_6.3.8-8.dsc
to pool/main/f/fetchmail/fetchmail_6.3.8-8.dsc
fetchmail_6.3.8-8_i386.deb
to pool/main/f/fetchmail/fetchmail_6.3.8-8_i386.deb
fetchmailconf_6.3.8-8_all.deb
to pool/main/f/fetchmail/fetchmailconf_6.3.8-8_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 440006@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated fetchmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 29 Aug 2007 12:05:09 +0200
Source: fetchmail
Binary: fetchmailconf fetchmail
Architecture: source i386 all
Version: 6.3.8-8
Distribution: unstable
Urgency: high
Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
fetchmail - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
fetchmailconf - fetchmail configurator
Closes: 440006
Changes:
fetchmail (6.3.8-8) unstable; urgency=high
.
* Including fix_CVE-2007-4565_DoS patch to fix
Denial of Service vulnerability in sink.c
(CVE-2007-4565) (Closes: #440006).
* Fixed fetchmailconf menu sections.
Files:
1e55b40a6bc8200865add56c8ad3a39b 893 mail optional fetchmail_6.3.8-8.dsc
96ff0c702f403d429ef9e2c77d0435f9 62698 mail optional fetchmail_6.3.8-8.diff.gz
a9435a6e2a140277994ef9b339babd7d 61918 mail optional fetchmailconf_6.3.8-8_all.deb
525f2ebddd11feb0d01f2ab8a7f1ca85 653832 mail optional fetchmail_6.3.8-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1UqOHYflSXNkfP8RAsluAJ4x+QUmAaHVGPwYF8eYIHKHbS7FXgCdEEIY
3MFhONOkXnKAdCdumWyymLw=
=dOOE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 03 Oct 2007 07:25:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.