Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: fetchmail
Date: Sun, 15 Dec 2002 13:15:12
Message-Id: 20021215130728.5FFE033BAB@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200212-3
6 - - --------------------------------------------------------------------
7
8 PACKAGE : fetchmail
9 SUMMARY : buffer overflow
10 DATE    : 2002-12-15 13:12 UTC
11 EXPLOIT : remote
12
13 - - --------------------------------------------------------------------
14
15 - From e-matters advisory:
16
17 "In the light of recent discoveries we reaudited Fetchmail and found
18 another bufferoverflow within the default configuration. This heap
19 overflow can be used by remote attackers to crash it or to execute
20 arbitrary code with the privileges of the user running fetchmail.
21 Depending on the configuration this allows a remote root compromise."
22
23 Read the full advisory at
24 http://security.e-matters.de/advisories/052002.html
25
26 SOLUTION
27
28 It is recommended that all Gentoo Linux users who are running
29 net-mail/fetchmail-6.1.2 and earlier update their systems as follows:
30
31 emerge rsync
32 emerge fetchmail
33 emerge clean
34
35 - - --------------------------------------------------------------------
36 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
37 avenj@g.o
38 - - --------------------------------------------------------------------
39 -----BEGIN PGP SIGNATURE-----
40 Version: GnuPG v1.2.1 (GNU/Linux)
41
42 iD8DBQE9/H6GfT7nyhUpoZMRAsaYAJ91S9qnCMg7K52RKryLUMuWi0URIACgpFdF
43 AUF2cEn+Y8qLPsolPSSIf0s=
44 =nDtt
45 -----END PGP SIGNATURE-----