Summary: | <net-mail/fetchmail-6.3.20: Denial of service possible in STARTTLS mode (CVE-2011-1947) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.txt | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-05-30 22:37:03 UTC
fetchmail 6.3.20 has been released. http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=18583 Thank you Tim. In the tree: +*fetchmail-6.3.20 (07 Jun 2011) + + 07 Jun 2011; Eray Aslan <eras@gentoo.org> +fetchmail-6.3.20.ebuild: + Version bump - security bug #369403 + Arches, please test and mark stable: =net-mail/fetchmail-6.3.20 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" ppc/ppc64 stable amd64: Am limited by not running and ISP amil account now. only the browser driven hotmail. therefore can't start the fetchmail daemon. However, emerged ok, the conf script brought up the gui to configure fetchmail. Passed test phase, looks ok. Stable for HPPA. amd64 done. Thanks Ian x86 stable arm stable alpha/ia64/s390/sh/sparc stable Thanks, everyone. GLSA Vote: no. CVE-2011-1947 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1947): fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. no too, and closing. |