on signed char arch. http://www.fetchmail.info/fetchmail-SA-2010-01.txt
"This might be exploitable to inject code if
- - fetchmail is run in verbose mode
AND
- - the host running fetchmail considers char signed
AND
- - the server uses malicious certificates with non-printing characters
that have the high bit set
AND
- - these certificates manage to inject shell-code that consists purely of
printable characters.
It is believed to be difficult to achieve all this."
Make the APOP challenge parser more distrustful and have it reject challenges
that do not conform to RFC-822 msg-id format, in the hope to make mounting
man-in-the-middle attacks (MITM) against APOP a bit more difficult.
Detailed information:
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
A password disclosure vulnerability (CVE-2006-5867, fetchmail's using unsafe
logins or omitting TLS) and a denial of service vulnerability (CVE-2006-5974,
fetchmail crashes, dereferencing the null page, when rejecting a message sent
to an MDA).
Fetchmail 6.3.6 also fixes several regressions and long-standing bugs.
Details:
https://lists.berlios.de/pipermail/fetchmail-announce/2007-January/000042.html
tests & ok jasper@, simon@
This update includes security fixes for CVE-2005-2335, CVE-2005-4348
and CVE-2006-0321.
Take over maintainership. (With permission from old MAINTAINER fgsch@.)
Tested by Sigfred Håversen and aanriot@.
ok aanriot@, brad@
