253871 – (CVE-2007-4565) net-mail/fetchmail<6.3.9 security issues CVE-2008-2711 and CVE-2007-4565

Bug 253871 (CVE-2007-4565) - net-mail/fetchmail<6.3.9 security issues CVE-2008-2711 and CVE-2007-4565

Summary: net-mail/fetchmail<6.3.9 security issues CVE-2008-2711 and CVE-2007-4565

Status:	RESOLVED FIXED

Alias:	CVE-2007-4565

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial
Assignee:	Gentoo Security

URL:	http://developer.berlios.de/project/s...
Whiteboard:	B4 [noglsa]
Keywords:	STABLEREQ

Depends on:
Blocks:

Reported:	2009-01-05 16:27 UTC by Chan Min Wai
Modified:	2020-04-10 11:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chan Min Wai 2009-01-05 16:27:09 UTC

Security issue update to 6.3.9.

Reproducible: Always

Comment 1 Torsten Veller (RETIRED) gentoo-dev

2009-01-05 17:16:12 UTC

CVE-2007-4565 was bug 191154
CVE-2008-2711 was bug 227105
Both fixed.


FYI: There are two further issues listed under
"SECURITY AND CRITICAL BUG FIXES" (see URL):

* When expunging, mark the right messages as seen to avoid message loss in "keep
  flush" configurations.  Workaround for previous versions: "expunge 0".
  Report and patch by Alexander Cherepanov - thanks a lot, Berlios Bug #11797,
  "imap_mark_seen doesn't consider expunged messages".
* SSL fix: close memory leak when SSL connection fails; fetchmail used to forget
  calling SSL_free() on the SSL context, leaking in excess of 500 kB RAM on a
  x86_64 system per failed SSL connection attempt.
  Bug reported and patch provided by Seiichi Ikarashi, Fujitsu.

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2009-01-05 21:46:56 UTC

Arches, please test and mark stable:
Package: '=net-mail/fetchmail-6.3.9'
Target Keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 x86-fbsd"

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-05 21:56:51 UTC

(In reply to comment #2)
> Arches, please test and mark stable:
> Package: '=net-mail/fetchmail-6.3.9'
> Target Keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86
> x86-fbsd"
> 

why - if both issues are already fixed for the current stable version?

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2009-01-05 22:44:11 UTC

Sorry, uhm, what's wrong with me, I failed hard here. :(

Well, I think we should still stabilize because of the "SSL fix".

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-06 17:11:51 UTC

(In reply to comment #4)
> Sorry, uhm, what's wrong with me, I failed hard here. :(
> 
> Well, I think we should still stabilize because of the "SSL fix".
> 

hrm, well ... let's do it

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2009-01-06 17:15:28 UTC

(In reply to comment #5)
> hrm, well ... let's do it

that being said, ppc stable

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2009-01-06 18:01:35 UTC

I forgot to click "Add Archs" button, too. :/

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2009-01-06 19:01:08 UTC

no mips, no no....

Comment 9 Brent Baude (RETIRED) gentoo-dev

2009-01-06 19:55:08 UTC

ppc64 done

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2009-01-07 15:42:42 UTC

Stable for HPPA

Comment 11 Alexis Ballier gentoo-dev

2009-01-07 15:44:27 UTC

(In reply to comment #8)
> no mips, no no....
> 

neither bsd afaik

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2009-01-07 18:26:19 UTC

alpha/ia64/sparc/x86 stable

Comment 13 Markus Meier gentoo-dev

2009-01-10 10:12:06 UTC

amd64 stable

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2009-01-11 14:21:03 UTC

The SSL issue is a client-side DOS, so I close it as noglsa per policy. Feel free to reopen if you disagree.