----------------------------------------------------------------------- Immunix Secured OS Security Advisory Packages updated: fetchmail, fetchmailconf Affected products: Immunix OS 7+ Bugs fixed: CAN-2002-1365, CAN-2003-0792, CAN-2003-0790 Date: Fri Oct 17 2003 Advisory ID: IMNX-2003-7+-023-01 Author: Seth Arnold <sarnold@xxxxxxxxxxx> ----------------------------------------------------------------------- Description: This update fixes several bugs in fetchmail, including a broken boundary condition check in the multidrop code, a header overflow that neglected to account for '@' signs in email addresses (CAN-2002-1365), a header-rewriting bug (CAN-2003-0792), and a head-reading bug (CAN-2003-0790; this CAN is likely to be revoked, but the patch appears to be nicely defensive). Immunix would like to thank Stefan Esser, Dave Jones, Markus Friedl, Nalin Dahyabhai, Mark J Cox, and Eric S. Raymond for diagnosing and fixing the problems. It is unknown if any of these problems lead to more than a Denial of Service attack. We do not believe StackGuard provides protection for any of the bugs addressed here. Package names and locations: Precompiled binary packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmail-5.9.0-10_imnx_1.i386.rpm http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/fetchmailconf-5.9.0-10_imnx_1.i386.rpm A source package for Immunix 7+ is available at: http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/fetchmail-5.9.0-10_imnx_1.src.rpm Immunix OS 7+ md5sums: fb8091d8401059cdc1e7f44efb2f8d5f RPMS/fetchmail-5.9.0-10_imnx_1.i386.rpm b70e0a1cbd01c40a51496218d14b26f1 RPMS/fetchmailconf-5.9.0-10_imnx_1.i386.rpm ff1fda573b367c2ac5f81e2c4b3f2d74 SRPMS/fetchmail-5.9.0-10_imnx_1.src.rpm GPG verification: Our public keys are available at http://download.immunix.org/GPG_KEY Immunix, Inc., has changed policy with GPG keys. We maintain several keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for Immunix 7.3 package signing, and 1B7456DA for general security issues. NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. ImmunixOS 7.0 is no longer officially supported. Contact information: To report vulnerabilities, please contact security@xxxxxxxxxxxx Immunix attempts to conform to the RFP vulnerability disclosure protocol http://www.wiretrip.net/rfp/policy.html.
Attachment:
pgp4IXcyPwocE.pgp
Description: PGP signature