Subject: Fwd: Advisory 03/2002: Fetchmail remote vulnerabilities
To: None <firstname.lastname@example.org>
From: Alan Post <email@example.com>
Date: 09/30/2002 11:50:58
As seen on bugtraq today. Seems rather serious to me, as control of the mail
server is not required to exploit this.
The version of fetchmail in pkgsrc is 5.9.13.
From: Stefan Esser <firstname.lastname@example.org>
Subject: Advisory 03/2002: Fetchmail remote vulnerabilities
Date: Sun, 29 Sep 2002 11:44:50 +0200
Advisory: Fetchmail remote vulnerabilities
Release Date: 2002/09/29
Last Modified: 2002/09/29
Author: Stefan Esser [email@example.com]
Application: Fetchmail <= 6.0.0
Severity: Several vulnerabilities within Fetchmail could
allow remote compromise.
Vendor Status: Vendor released version 6.1.0
We have discovered several bufferoverflows and a broken boundary check
within Fetchmail. If Fetchmail is running in multidrop mode these flaws
can be used by remote attackers to crash it or to execute arbitrary
code with the permissions of the user running fetchmail. Depending on
the configuration this allows a remote root compromise.