-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 774-1 security@debian.org http://www.debian.org/security/ Martin Schulze August 12th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : fetchmail Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2335 CERT advisory : BugTraq ID : 14349 Debian Bug : 212762 Edward Shornock discovered a bug in the UIDL handling code of fetchmail, a common POP3, APOP and IMAP mail fetching utility. A malicious POP3 server could exploit this problem and inject arbitrary code that will be executed on the victim host. If fetchmail is running as root, this becomes a root exploit. the old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 6.2.5-12sarge1. For the unstable distribution (sid) this problem has been fixed in version 6.2.5-16. We recommend that you upgrade your fetchmail package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1.dsc Size/MD5 checksum: 650 3eb739416b5b7a906b56b3145cf1ba32 http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1.diff.gz Size/MD5 checksum: 150578 12cdd33c6299e840ffcf3cfa00eb2e0e http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gz Size/MD5 checksum: 1257376 9956b30139edaa4f5f77c4d0dbd80225 Architecture independent components: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-ssl_6.2.5-12sarge1_all.deb Size/MD5 checksum: 42268 593148b798ec57fbca09340ecb139c1e http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.2.5-12sarge1_all.deb Size/MD5 checksum: 101356 c7e81ed2ef2c7375e3afb9d937a1aa91 Alpha architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_alpha.deb Size/MD5 checksum: 572940 7426819c3db555eb6c1b5bf866b2113d AMD64 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_amd64.deb Size/MD5 checksum: 554678 56223b7979f4e4410c05620d153a01ba ARM architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_arm.deb Size/MD5 checksum: 549146 b8f0493390f4aa713004f913f2696e73 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_i386.deb Size/MD5 checksum: 548184 4b004ec450045c4d0d4b9fda7d9b04cc Intel IA-64 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_ia64.deb Size/MD5 checksum: 597056 5a7e4a0f676edeed83bd3e48d4747b57 HP Precision architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_hppa.deb Size/MD5 checksum: 561656 5ed8c10d345f358e85f58937e7aa79c9 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_m68k.deb Size/MD5 checksum: 537964 8ce1a7e8de2858d8b9166c7166309173 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_mips.deb Size/MD5 checksum: 556648 ee365e9943ae1646eb6ac051c6645833 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_mipsel.deb Size/MD5 checksum: 556388 5f07b01938a6171da1c319006700ec93 PowerPC architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_powerpc.deb Size/MD5 checksum: 556168 55c628ab054ef7022c679e15edde8fae IBM S/390 architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_s390.deb Size/MD5 checksum: 554510 5457354b0ee7ed5c735c582408396154 Sun Sparc architecture: http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_sparc.deb Size/MD5 checksum: 549168 db954a1eafe045ff6f2eb4c3c64abf3f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC/ICoW5ql+IAeqTIRAqn8AJ46/KeY8uk6O02wixFIxjv/JWpR/gCbBk0i rkIK0G9csGlq7HNfRwsxWWc= =Ilrk -----END PGP SIGNATURE-----