pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/42808: Vulnerable mail/fetchmail package in pkgsrc-current (version 6.3.11)



>Number:         42808
>Category:       pkg
>Synopsis:       Vulnerable mail/fetchmail package in pkgsrc-current (version 
>6.3.11)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Feb 13 21:35:00 +0000 2010
>Originator:     Bug Hunting
>Release:        
>Organization:
>Environment:
>Description:
The mail/fetchmail package in pkgsrc-current, being at version 6.3.11, is
vulnerable.
>How-To-Repeat:
Update pkgsrc-current, then:

$ cd /usr/pkgsrc/mail/fetchmail
$ make package-name | xargs /usr/pkg/sbin/pkg_admin -v audit-pkg -e
Package fetchmail-6.3.11 has a arbitrary-code-execution vulnerability, see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0562
>Fix:
The mail/fetchmail package should either be upgraded to version 6.3.13
after which the patch in section B of 
<http://www.fetchmail.info/fetchmail-SA-2010-01.txt> should be applied
(the difficult way), OR the package should be upgraded to version 6.3.14 
(the correct way, i think ;-)).  No details provided on such upgrade
here, although one could see 
<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17213>
 for change details of 6.3.14, and read the security
announcement on the URL already being given.

Any of these two ways of upgrading would override PR pkg/42519 (which was
closed already anyway); doc/TODO should be altered after it as well, removing 
its `fetchmail-6.3.13' line.



Home | Main Index | Thread Index | Old Index