Subject: Fwd: Advisory 03/2002: Fetchmail remote vulnerabilities
To: None <>
From: Alan Post <>
List: tech-pkg
Date: 09/30/2002 11:50:58
As seen on bugtraq today.  Seems rather serious to me, as control of the mail
server is not required to exploit this.

The version of fetchmail in pkgsrc is 5.9.13.


From: Stefan Esser <>
Subject: Advisory 03/2002: Fetchmail remote vulnerabilities
Date: Sun, 29 Sep 2002 11:44:50 +0200
User-Agent: Mutt/1.4i

     Advisory: Fetchmail remote vulnerabilities
 Release Date: 2002/09/29
Last Modified: 2002/09/29
       Author: Stefan Esser []

  Application: Fetchmail <= 6.0.0
     Severity: Several vulnerabilities within Fetchmail could
               allow remote compromise.
         Risk: Critical
Vendor Status: Vendor released version 6.1.0

   We have discovered several bufferoverflows and a broken boundary check
   within Fetchmail. If Fetchmail is running in multidrop mode these flaws
   can be used by remote attackers to crash it or to execute arbitrary
   code with the permissions of the user running fetchmail. Depending on
   the configuration this allows a remote root compromise.