Summary: | net-mail/fetchmail<6.3.9 security issues CVE-2008-2711 and CVE-2007-4565 | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chan Min Wai <dcmwai> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | net-mail+disabled |
Priority: | High | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=15418 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chan Min Wai
2009-01-05 16:27:09 UTC
CVE-2007-4565 was bug 191154 CVE-2008-2711 was bug 227105 Both fixed. FYI: There are two further issues listed under "SECURITY AND CRITICAL BUG FIXES" (see URL): * When expunging, mark the right messages as seen to avoid message loss in "keep flush" configurations. Workaround for previous versions: "expunge 0". Report and patch by Alexander Cherepanov - thanks a lot, Berlios Bug #11797, "imap_mark_seen doesn't consider expunged messages". * SSL fix: close memory leak when SSL connection fails; fetchmail used to forget calling SSL_free() on the SSL context, leaking in excess of 500 kB RAM on a x86_64 system per failed SSL connection attempt. Bug reported and patch provided by Seiichi Ikarashi, Fujitsu. Arches, please test and mark stable: Package: '=net-mail/fetchmail-6.3.9' Target Keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 x86-fbsd" (In reply to comment #2) > Arches, please test and mark stable: > Package: '=net-mail/fetchmail-6.3.9' > Target Keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 > x86-fbsd" > why - if both issues are already fixed for the current stable version? Sorry, uhm, what's wrong with me, I failed hard here. :( Well, I think we should still stabilize because of the "SSL fix". (In reply to comment #4) > Sorry, uhm, what's wrong with me, I failed hard here. :( > > Well, I think we should still stabilize because of the "SSL fix". > hrm, well ... let's do it (In reply to comment #5) > hrm, well ... let's do it that being said, ppc stable I forgot to click "Add Archs" button, too. :/ no mips, no no.... ppc64 done Stable for HPPA (In reply to comment #8) > no mips, no no.... > neither bsd afaik alpha/ia64/sparc/x86 stable amd64 stable The SSL issue is a client-side DOS, so I close it as noglsa per policy. Feel free to reopen if you disagree. |