|
|
|
|
| |
Credit:
The information has been provided by ma and bt .
The original article can be found at: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
|
| |
Vulnerable Systems:
* fetchmail version 6.2.5.4
* fetchmail version 6.3.0
Immune Systems:
* fetchmail version 6.3.1-rc1
* fetchmail version 6.3.1
* fetchmail version 6.2.5.5
Fetchmail contains a bug that causes an application to crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as "previously fetched", it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients.
Workaround:
Where possible, singledrop mode may be an alternative.
Vendor Status:
The vendor has issued a fix: Download and install fetchmail 6.3.1 or a newer stable release from fetchmail's project site at http://developer.berlios.de/project/showfiles.php?group_id=1824
The fix has also been back ported to the 6.2.5.5 legacy release which is available from the same site.
Note however that 6.3.X has very few incompatible changes since 6.2.5.X so 6.3.X should be viable for most sites. It is therefore recommended that every user and distributor upgrade to 6.3.1 or newer.
The fetchmail 6.2.5.X branch will be discontinued in early 2006.
The new 6.3.X stable branch has been available since 2005-11-30 and will not change except for bugfixes, documentation and translations.
CVE Information:
CVE-2005-4348
|
|
|
|
|
