Commit 358b72cb authored by Matthias Andree's avatar Matthias Andree

Convert most references from berlios.de to sourceforge.net.

Re-sign EN and SAs because that broke signatures.
parent f287ff47
......@@ -65,6 +65,7 @@ fetchmail-6.3.27 (not yet released, if ever):
* Fix a typo in the FAQ. Submitted by David Lawyer, Debian Bug#706776.
* Do not translate header tags such as "Subject:". Reported by Gonzalo Pérez de
Olaguer Córdoba, Debian Bug#744907.
* Convert most links from berlios.de to sourceforge.net.
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
......
......@@ -59,8 +59,7 @@ forwarding via SMTP to sendmail).
You can get the code from the fetchmail home page:
http://www.fetchmail.info/
http://fetchmail.berlios.de/
http://fetchmail.sourceforge.net/
Enjoy!
......
......@@ -13,7 +13,8 @@ To do a release:
- These would be done automatically by makerelease.pl:
- Upload sig and tarball to ~/public_html/fetchmail/
- Upload sig and tarball to ftp.berlios.de:/incoming/ and release
- Upload sig and tarball to sourceforge, per
<https://sourceforge.net/p/forge/documentation/Release%20Files%20for%20Download/#rsync>
- Update the fetchmail website for version, link to release nodes
(update release_id) and last update, commit, and upload.
......
This diff is collapsed.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [fetchmail-users] After reading the FAQ, a question about lost/mangled attachments
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:fetchmail-users%40lists.berlios.de?Subject=Re%3A%20%5Bfetchmail-users%5D%20After%20reading%20the%20FAQ%2C%20a%20question%20about%0A%09lost/mangled%20attachments&In-Reply-To=%3C1141822356.516.4.camel%40linux.site%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000306.html">
<LINK REL="Next" HREF="000309.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments</H1>
<B>Peter N. Spotts</B>
<A HREF="mailto:fetchmail-users%40lists.berlios.de?Subject=Re%3A%20%5Bfetchmail-users%5D%20After%20reading%20the%20FAQ%2C%20a%20question%20about%0A%09lost/mangled%20attachments&In-Reply-To=%3C1141822356.516.4.camel%40linux.site%3E"
TITLE="[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments">pspotts at alum.mit.edu
</A><BR>
<I>Wed Mar 8 13:52:36 CET 2006</I>
<P><UL>
<LI>Previous message: <A HREF="000306.html">[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments
</A></li>
<LI>Next message: <A HREF="000309.html">[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#308">[ date ]</a>
<a href="thread.html#308">[ thread ]</a>
<a href="subject.html#308">[ subject ]</a>
<a href="author.html#308">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Sat, 2006-03-04 at 19:31 +0100, Matthias Andree wrote:
&gt;<i> &quot;Peter N. Spotts&quot; &lt;<A HREF="https://lists.berlios.de/mailman/listinfo/fetchmail-users">pspotts at alum.mit.edu</A>&gt; writes:
</I>&gt;<i>
</I>&gt;<i> &gt; I've been running fetchmail on SuSE 10.0 on my laptop, and until today
</I>&gt;<i> &gt; (when I installed the latest version of fetchmail) I've been running
</I>&gt;<i> &gt; 6.2.X.
</I>&gt;<i>
</I>&gt;<i> [...]
</I>&gt;<i>
</I>&gt;<i> &gt; So although my ISP is Comcast (I noted the Comcast caveats on
</I>&gt;<i> &gt; the FAQ page), Comcast does not seem to be the problem either.
</I>&gt;<i>
</I>&gt;<i> That would be news.
</I>&gt;<i>
</I>&gt;<i> fetchmail, beginning with version 6.3.2, recognizes Comcast's broken
</I>&gt;<i> servers (&quot;Maillennium POP3/PROXY server&quot;) and disables the problematic
</I>&gt;<i> use of the TOP command and uses RETR instead - so updating to 6.3.2
</I>&gt;<i> should have fixed all known Comcast problems.
</I>&gt;<i>
</I>&gt;<i> --
</I>&gt;<i> Matthias Andree
</I>
Matthias,
My apologies for the tardy reply. I'll remove the fetchall command from
my rc file and see how things work. I should have said earlier that I
had just updated to 6.3.2 that morning but hadn't tried it yet...I just
had this urge to write something after several weeks of
frustration! ;-)
With best regards,
Pete
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Peter N. Spotts | Science Correspondent
The Christian Science Monitor
One Norway Street, Boston MA 02115
Office: 617-450-2449 | Office in home: 508-520-3139
Email: <A HREF="https://lists.berlios.de/mailman/listinfo/fetchmail-users">pspotts at alum.mit.edu</A> | www.csmonitor.com
Amateur-radio call - KC1JB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
&quot;The knack of flying is to throw yourself at the ground and miss.&quot;
-- Douglas Adams
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000306.html">[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments
</A></li>
<LI>Next message: <A HREF="000309.html">[fetchmail-users] After reading the FAQ, a question about lost/mangled attachments
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#308">[ date ]</a>
<a href="thread.html#308">[ thread ]</a>
<a href="subject.html#308">[ subject ]</a>
<a href="author.html#308">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.berlios.de/mailman/listinfo/fetchmail-users">More information about the fetchmail-users
mailing list</a><br>
</body></html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE> [fetchmail-devel] Security vulnerability in APOP authentication
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:fetchmail-devel%40lists.berlios.de?Subject=Re%3A%20%5Bfetchmail-devel%5D%20Security%20vulnerability%20in%20APOP%20authentication&In-Reply-To=%3Cqlkbqirheq7.fsf%40clipper.ens.fr%3E">
<META NAME="robots" CONTENT="index,nofollow">
<style type="text/css">
pre {
white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */
}
</style>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000884.html">
<LINK REL="Next" HREF="000889.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[fetchmail-devel] Security vulnerability in APOP authentication</H1>
<B>Ga&#235;tan LEURENT</B>
<A HREF="mailto:fetchmail-devel%40lists.berlios.de?Subject=Re%3A%20%5Bfetchmail-devel%5D%20Security%20vulnerability%20in%20APOP%20authentication&In-Reply-To=%3Cqlkbqirheq7.fsf%40clipper.ens.fr%3E"
TITLE="[fetchmail-devel] Security vulnerability in APOP authentication">gaetan.leurent at ens.fr
</A><BR>
<I>Wed Mar 14 15:55:08 CET 2007</I>
<P><UL>
<LI>Previous message: <A HREF="000884.html">[fetchmail-devel] Bug#413059: --sslcheck - non-existent option in the man page
</A></li>
<LI>Next message: <A HREF="000889.html">[fetchmail-devel] Security vulnerability in APOP authentication
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#887">[ date ]</a>
<a href="thread.html#887">[ thread ]</a>
<a href="subject.html#887">[ subject ]</a>
<a href="author.html#887">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Hello,
I found a security vulnerability in the APOP authentication. It is
related to recent collision attacks by Wang and al. against MD5. The
basic idea is to craft a pair of message-ids that will collide in the
APOP hash if the password begins in a specified way. So the attacker
would impersonate a POP server, and send these msg-id; the client will
return the hash, and the attacker can learn some password characters.
The msg-ids will be generated from a MD5 collision: if you have two
colliding messages for MD5 &quot;&lt;[email protected]????&gt;x&quot; and &quot;&lt;&#191;&#191;&#191;&#191;@&#191;&#191;&#191;&#191;&gt;x&quot;, and the
message are of length two blocks, then you will use &quot;&lt;[email protected]????&gt;&quot; and
&quot;&lt;&#191;&#191;&#191;&#191;@&#191;&#191;&#191;&#191;&gt;&quot; as msg-ids. When the client computes MD5(msg-id||passwd)
with these two, it will collide if the first password character if 'x',
no matter what is next (since we are at a block boundary, and the end of
the password will be the same in the two hashs). Therefore you can
learn the password characters one by one (actually you can only recover
three of them, due to the way MD5 collisions are computed).
This attack is really a practical one: it needs about an hour of
computation and a few hundred authentications from the client, and can
recover three password characters. I tested it against fetchmail, and
it does work.
However, using the current techniques available to attack MD5, the
msg-ids sent by the server can easily be distinguished from genuine ones
as they will not respect the RFC specification. In particular, they
will contain non-ASCII characters. Therefore, as a security
countermeasure, I think fetchmail should reject msg-ids that does not
conform to the RFC.
The details of the attack and the new results against MD5 needed to
build it will be presented in the Fast Software Encryption conference on
March 28. I can send you some more details if needed.
Meanwhile, feel free to alert any one that you believe is concerned.
I am already sending this mail to the maintainers of Thunderbird,
Evolution, fetchmail, and mutt. KMail already seems to do enough checks
on the msg-id to avoid the attack.
Please CC me in any reply.
--
Ga&#235;tan LEURENT
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000884.html">[fetchmail-devel] Bug#413059: --sslcheck - non-existent option in the man page
</A></li>
<LI>Next message: <A HREF="000889.html">[fetchmail-devel] Security vulnerability in APOP authentication
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#887">[ date ]</a>
<a href="thread.html#887">[ thread ]</a>
<a href="subject.html#887">[ subject ]</a>
<a href="author.html#887">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://lists.berlios.de/mailman/listinfo/fetchmail-devel">More information about the fetchmail-devel
mailing list</a><br>
</body></html>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:[email protected]" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Object not found!</h1>
<p>
The requested URL was not found on this server.
If you entered the URL manually please check your
spelling and try again.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:[email protected]">webmaster</a>.
</p>
<h2>Error (none)</h2>
<address>
<a href="/">download.berlios.de</a><br />
<span>Wed May 21 22:24:15 2014<br />
Apache</span>
</address>
</body>
</html>
......@@ -9,7 +9,7 @@ dnl Process this file with autoconf to produce a configure script.
dnl
dnl XXX - if bumping version here, check fetchmail.man, too!
AC_INIT([fetchmail],[6.3.26],[[email protected]])
AC_INIT([fetchmail],[6.3.27],[[email protected]])
AC_CONFIG_SRCDIR([fetchmail.h])
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_LIBOBJ_DIR([.])
......
Mold Remover
Mold Remover is a short python script which integrates with fetchmail
<http://fetchmail.berlios.de/> and allows the user to specify the
<http://fetchmail.sourceforge.net/> and allows the user to specify the
number of days that mail should remain on the pop3 server before being
deleted.
......
......@@ -6,8 +6,8 @@
#
my $project = "fetchmail";
my $website = "http://developer.berlios.de/projects/$project";
my $mailfrom = "<$project-devel\@lists.berlios.de> (Fetchmail Development Team)";
my $website = "http://sourceforge.net/projects/$project";
my $mailfrom = "<$project-devel\@lists.sourceforge.net> (Fetchmail Development Team)";
my $distsufx = '.tar.bz2';
my $xzsufx = '.tar.xz';
......@@ -195,10 +195,6 @@ print "=== local\n";
system("cp", "autobuild/$project-$version$xzsufx", "autobuild/$project-$version$xzsufx.asc", "$ENV{HOME}/public_html/fetchmail/") and die "Cannot upload to \$HOME/public_html/fetchmail/: $!";
print "=== berlios\n";
system("lftp -e \"lcd autobuild ; mput $project-$version$distsufx $project-$version$distsufx.asc ; quit\" ftp.berlios.de:/incoming/") and warn "Upload to berlios failed: $!";
print "=== sourceforge \n";
system("rsync -acvHP autobuild/$project-$version$xzsufx autobuild/$project-$version$xzsufx.asc autobuild/README m-a\@frs.sourceforge.net:/home/frs/project/fetchmail/branch_6.3/");
unlink 'autobuild/README' or die "cannot unlink autobuild/README: $!";
......
I maintain an open-source POP and IMAP client called fetchmail. It is
widely used in the Linux and open-source community, and is probably
the single most popular remote-mail client in that world. You can
find out more about this project at
<http://fetchmail.berlios.de/>.
find out more about this project at <http://fetchmail.sourceforge.net/>.
In order to be able to do thorough regression testing before each release,
I collect test accounts on as many different kinds of POP3, IMAP, and
......
......@@ -6,7 +6,7 @@ fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication
Topics: Authentication incapability in older fetchmail versions
Author: Matthias Andree
Version: 1.0
Version: 1.1
Announced: 2010-10-16
Impact: Denial of service
......@@ -29,6 +29,7 @@ Corrected: 2010-10-09 Git, required commit:
==================
2010-10-16 1.0 complete
2014-05-21 1.1 update BerliOS links
1. Background
......@@ -78,7 +79,7 @@ and all previous releases.
Install fetchmail release 6.3.18 or newer.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
Since the changes are non-trivial, 6.3.18 contains other unrelated
important fixes (such as applying timeout to the authentication phase,
......@@ -87,7 +88,7 @@ have been tested, no separate patch is made available.
For details on what else changed in release 6.3.18, please see the NEWS
file shipping with fetchmail 6.3.18, or its online copy at
<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>.
<http://sourceforge.net/projects/fetchmail/files/branch_6.3/>
4. Workaround
......@@ -125,7 +126,7 @@ Use the information herein at your own risk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/YgsACgkQvmGDOQUufZWwQwCgvBxomOVufQuUh96nEq95Mnz4
5m8AoKkBIERmVh9MzN4aJBKbqRQX+2Hq
=GwOi
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWdAQCfYcPWZiMcEl9H2SXKf80eMktw
Wc8AoNt/rtXWGD/FpPvhlBSr95eO6PF1
=5MPV
-----END PGP SIGNATURE-----
......@@ -42,7 +42,7 @@ case you need the new option.</p>
<p>If you have a question or answer you think ought to be added to
this FAQ list, file it to one of the trackers at <a
href="http://developer.berlios.de/projects/fetchmail/">our BerliOS
href="http://sourceforge.net/projects/fetchmail/">our BerliOS
project site</a> or post to one of the fetchmail mailing lists (see
below).</p>
......@@ -353,7 +353,7 @@ save us both time if you upgrade and test with <a href="#G2">the latest
<p>Bugs will be fixed, provided you include enough diagnostic information
for me to go on. Send bugs to <a
href="mailto:[email protected]berlios.de">fetchmail-users</a>.
href="mailto:[email protected]sourceforge.net">fetchmail-users</a>.
When sending bugs or asking for help, please <strong>do not make up
information except your password</strong> and please
<strong>report</strong> the following:</p>
......@@ -388,8 +388,8 @@ any suspicion that the bug was triggered by a particular message,
please include a copy of the message that triggered the bug.</p>
<p>If your bug is something that used to work but stopped working
when you upgraded, then you can help pin the bug down by trying <a
href="http://download.berlios.de/fetchmail/">intermediate versions
when you upgraded, then you can help pin the bug down by bisecting, i. e. trying <a
href="http://sourceforge.net/p/fetchmail/git/ci/legacy_63/tree/">intermediate versions
of fetchmail</a> until you identify the revision that broke your
feature. The smart way to do this is by binary search on the
version sequence. First, try the version halfway between your last
......@@ -489,20 +489,20 @@ spare time of developers permitting.</p>
tips?</a></h2>
<p>There is a fetchmail-users list
&lt;[email protected]berlios.de&gt;
&lt;[email protected]sourceforge.net&gt;
for bug reports and people who want to discuss configuration issues of
fetchmail. Please see <a href="#G3">G3 above for information you need to
report.</a> It's a Mailman list, see <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-users">http://lists.berlios.de/mailman/listinfo/fetchmail-users</a>
href="http://lists.sourceforge.net/mailman/listinfo/fetchmail-users">http://lists.sourceforge.net/mailman/listinfo/fetchmail-users</a>
for info and subscription.</p>
<p>There is a fetchmail-devel list
&lt;[email protected]berlios.de&gt; for people who want to discuss
&lt;[email protected]sourceforge.net&gt; for people who want to discuss
fixes and improvements in fetchmail and help co-develop it. It's a
Mailman list, which you can sign up for at <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-devel">http://lists.berlios.de/mailman/listinfo/fetchmail-devel</a>.</p>
href="http://lists.sourceforge.net/mailman/listinfo/fetchmail-devel">http://lists.sourceforge.net/mailman/listinfo/fetchmail-devel</a>.</p>
<p>There is also an announcements-only list,
&lt;[email protected]berlios.de&gt;, which you can sign up for at <a
href="http://lists.berlios.de/mailman/listinfo/fetchmail-announce">http://lists.berlios.de/mailman/listinfo/fetchmail-announce</a>.</p>
&lt;[email protected]sourceforge.net&gt;, which you can sign up for at <a
href="http://lists.sourceforge.net/mailman/listinfo/fetchmail-announce">http://lists.sourceforge.net/mailman/listinfo/fetchmail-announce</a>.</p>
<h2><a id="G7" name="G7">G7. So, what's this I hear about a
fetchmail paper?</a></h2>
......
......@@ -16,7 +16,7 @@ Danger: high: in sensitive configurations, a full system
(for 6.2.5.1: denial of service for the whole fetchmail
system is possible)
CVE Name: CVE-2005-2335
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2005-01.txt
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
......@@ -103,11 +103,11 @@ No reasonable workaround can be offered at this time.
Upgrade your fetchmail package to version 6.3.0 or newer.
<http://developer.berlios.de/project/showfiles.php?group_id=1824>
<http://sourceforge.net/projects/fetchmail/files/>
A. References
fetchmail home page: <http://fetchmail.berlios.de/>
fetchmail home page: <http://fetchmail.sourceforge.net/>
B. Copyright, License and Warranty
......@@ -134,7 +134,7 @@ END OF fetchmail-SA-2005-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVgGgCfer/s64xaU71GiAQ6bpu5Lrei
ysgAnj2MQhFOxIzzw7V9qyp095NotaOO
=uLfy
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWmcQCdGrMPh1DY+Uqi5gmRbL+uUsOd
BpQAn3pBsk4fCeMY61d2ltjcp+CXj8Bi
=WTmI
-----END PGP SIGNATURE-----
......@@ -14,7 +14,7 @@ Danger: medium
Credits: Thomas Wolff, Miloslav Trmac for pointing out
that fetchmailconf 1.43.1 was also flawed
CVE Name: CVE-2005-3088
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2005-02.txt
Affects: fetchmail version 6.2.5.2
fetchmail version 6.2.5
......@@ -74,12 +74,12 @@ fetchmailconf has finished, you can restore your old umask.
Download and install fetchmail 6.3.0 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=6617>.
<http://sourceforge.net/projects/fetchmail/files/&release_id=6617>.
A. References
=============
fetchmail home page: <http://fetchmail.berlios.de/>
fetchmail home page: <http://fetchmail.sourceforge.net/>
B. Copyright, License and Warranty
==================================
......@@ -107,7 +107,7 @@ END OF fetchmail-SA-2005-02.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWoPgCdG1P0n27En0VPMiY3+d0NSwfy
4rgAn037UM4pEf7E94HZQOmGUR//pM6q
=q8j6
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZUzEQCg4GOxtrGvWtdZG0NE99DMmPOY
Tb8AnixEWIjzEr7D/FYxK3Hj2nl6f+pG
=Dzx9
-----END PGP SIGNATURE-----
......@@ -15,10 +15,10 @@ Danger: low
Credits: Daniel Drake, Gentoo (bug report)
Sunil Shetye (bug fix)
CVE Name: CVE-2005-4348
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2005-03.txt
http://article.gmane.org/gmane.mail.fetchmail.user/7573
http://bugs.debian.org/343836
Project URL: http://fetchmail.berlios.de/
Project URL: http://fetchmail.sourceforge.net/
Affects: fetchmail version 6.2.5.4
fetchmail version 6.3.0
......@@ -79,7 +79,7 @@ For sites, where multidrop mode is required, no workaround is known.
Download and install fetchmail 6.3.1 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
The fix has also been backported to the 6.2.5.5 legacy release which is
available from the same site.
......@@ -125,7 +125,7 @@ END OF fetchmail-SA-2005-03.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWToACfZyLSqP8dWVIB6rX56d+Kr1sc
iXEAoNszsDwKI1O5lh7R70etYL9jAtiq
=Zz4j
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZVR6wCePBum0D/6j2Mmzc9eDttcckfu
100AoJoy6OdYYvUDCfEjjog+aAo72NXI
=L83l
-----END PGP SIGNATURE-----
......@@ -14,9 +14,9 @@ Impact: fetchmail crashes
Danger: low
Credits: Nathaniel W. Turner (bug report)
CVE Name: CVE-2006-0321
URL: http://fetchmail.berlios.de/fetchmail-SA-2006-01.txt
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2006-01.txt
http://bugs.debian.org/348747
Project URL: http://fetchmail.berlios.de/
Project URL: http://fetchmail.sourceforge.net/
Affects: fetchmail release >= 6.3.0
fetchmail release < 6.3.2
......@@ -74,7 +74,7 @@ None known at this time.
Download and install fetchmail 6.3.2 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
5. End of life announcement
......@@ -115,7 +115,7 @@ END OF fetchmail-SA-2006-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVnOgCfVyOBUSVgRSjBtqzjaLwKEg0K
30YAoJiFeNUcNBO3oKfq5rMdSEeNAfGP
=Gvze
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZUBxACdHYpE68rvXlETUZb+pwr7fJ2n
dF0An2yoLVhY7KUENyxhnN57aQ0Ro6BK
=66Zk
-----END PGP SIGNATURE-----
......@@ -14,8 +14,8 @@ Impact: fetchmail can expose cleartext password over unsecure link
Danger: medium
Credits: Isaac Wilcox (bug report, testing, collaboration on fix)
CVE Name: CVE-2006-5867
URL: http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
Project URL: http://fetchmail.berlios.de/
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2006-02.txt
Project URL: http://fetchmail.sourceforge.net/
Affects: fetchmail releases <= 6.3.5
fetchmail release candidates 6.3.6-rc1, -rc2, -rc3
......@@ -100,7 +100,7 @@ or equivalent in the run control file. This encrypts the whole session.
Download and install fetchmail 6.3.7 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
5. Acknowledgments
......@@ -138,7 +138,7 @@ END OF fetchmail-SA-2006-02.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVAlACglBU+3L80GdwXRplGD0jLEPYp
C8QAoJHEGU8xtgurUjt/mYiwz8u85vYY
=Io6N
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZU41wCfaHJrbV3wTOWIYY6ExBcmboy1
BC8AoOphRY3GVah+xgHg+mOjIPQ4eXeO
=wjDV
-----END PGP SIGNATURE-----
......@@ -13,8 +13,8 @@ Impact: fetchmail aborts prematurely
Danger: low
Credits: Neil Hoggarth (bug report and analysis)
CVE Name: CVE-2006-5974
URL: http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt
Project URL: http://fetchmail.berlios.de/
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2006-03.txt
Project URL: http://fetchmail.sourceforge.net/
Affects: fetchmail release = 6.3.5
fetchmail release candidates 6.3.6-rc1, -rc2
......@@ -63,7 +63,7 @@ Avoid the mda option and ship to a local SMTP or LMTP server instead.
Download and install fetchmail 6.3.6 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
......@@ -94,7 +94,7 @@ END OF fetchmail-SA-2006-03.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWnJACgxlN1s2Y3gO/Nap72VG7EaAyV
PAEAoKChr5sNMsU9k9LJeYvMYOua7IC1
=Vx/n
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZUF1wCgvRVApGvyCvrXg84xt4SLtHxe
v34AoObhRk3Q95bukkY2sAMunVkBkV1q
=IF8k
-----END PGP SIGNATURE-----
......@@ -13,8 +13,8 @@ Impact: password disclosure possible
Danger: low
Credits: Gaëtan Leurent
CVE Name: CVE-2007-1558
URL: http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
Project URL: http://fetchmail.berlios.de/
URL: http://fetchmail.sourceforge.net/fetchmail-SA-2007-01.txt
Project URL: http://fetchmail.sourceforge.net/
Affects: fetchmail release < 6.3.8
......@@ -76,7 +76,7 @@ C. If you must continue to use APOP without SSL/TLS, then install
fetchmail 6.3.8 or newer, as it is less susceptible to the attack by
validating the APOP challenge more strictly to make the attack
harder. The fetchmail 6.3.8 source code is available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
<http://sourceforge.net/projects/fetchmail/files/>.
A. Copyright, License and Warranty
......@@ -107,7 +107,7 @@ END OF fetchmail-SA-2007-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVn6wCgkC9pMA9HxXG6lgbgoixd73Tn
Cz4AoKG+qB47vhGdXSTDDXDFgMDrMJ24
=BKzz
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZXpcQCgxzyViEuWv9/kZ6aE8PvfeEev
8ZsAoLQCAZbK1MHuP/FLeviuVOeHRxO1
=FH2Q
-----END PGP SIGNATURE-----
......@@ -12,7 +12,7 @@ Type: NULL pointer dereference trigged by outside circumstances
Impact: denial of service possible
Danger: low
CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C)
Credits: Earl Chew
CVE Name: CVE-2007-4565
URL: http://www.fetchmail.info/fetchmail-SA-2007-02.txt
......@@ -48,25 +48,25 @@ control) files for fetchmail.
2. Problem description and Impact
=================================
fetchmail will generate warning messages in certain circumstances and
send them to the local postmaster or the user starting it. Such warning
messages can be generated, for instance, if logging into an upstream
server fails repeatedly or if messages beyond the size limit (if
fetchmail will generate warning messages in certain circumstances and
send them to the local postmaster or the user starting it. Such warning
messages can be generated, for instance, if logging into an upstream
server fails repeatedly or if messages beyond the size limit (if
configured, default: no limit) are left on the server.
If this warning message is then refused by the SMTP listener that
fetchmail is forwarding the message to, fetchmail attempts to
dereference a NULL pointer when trying to find out if it should allow a
If this warning message is then refused by the SMTP listener that
fetchmail is forwarding the message to, fetchmail attempts to
dereference a NULL pointer when trying to find out if it should allow a
bounce message to be sent.
This causes fetchmail to crash and not collect further messages until it
This causes fetchmail to crash and not collect further messages until it
is restarted.
Risk assessment: low. In default configuration, fetchmail will talk
through the loopback interface, that means to the SMTP server on the same
computer as it is running on. Otherwise, it will commonly be configured
to talk to trusted SMTP servers, so a compromise or misconfiguration of
a trusted or the same computer is required to exploit this problem -
Risk assessment: low. In default configuration, fetchmail will talk
through the loopback interface, that means to the SMTP server on the same
computer as it is running on. Otherwise, it will commonly be configured
to talk to trusted SMTP servers, so a compromise or misconfiguration of
a trusted or the same computer is required to exploit this problem -
which usually opens up much easier ways of denying service, or worse.
......@@ -78,11 +78,11 @@ There are two alternatives, either of them by itself is sufficient:
a. Apply the patch found in section B of this announcement to fetchmail 6.3.8,
recompile and reinstall it.
b. Install fetchmail 6.3.9 or newer when it becomes available. The
fetchmail source code is available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
b. Install fetchmail 6.3.9 or newer when it becomes available. The
fetchmail source code is available from
<http://sourceforge.net/projects/fetchmail/files/>.
Note there are no workarounds presented here since all known workarounds
Note there are no workarounds presented here since all known workarounds
are more intrusive than the actual solution.
......@@ -119,7 +119,7 @@ Index: sink.c
+++ sink.c (revision 5119)
@@ -262,7 +262,7 @@
const char *md1 = "MAILER-DAEMON", *md2 = "[email protected]";
/* don't bounce in reply to undeliverable bounces */
- - if (!msg->return_path[0] ||
+ if (!msg || !msg->return_path[0] ||
......@@ -131,7 +131,7 @@ END OF fetchmail-SA-2007-02.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZWWKwCfX4Ri89SzzUcXYxughs1CdnAk
Z6IAniD4DzayVUR6UxA5K1OqX1CUDOhM
=+YME
iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWetACggVJsyo1c2oL/Fjqi9Z/myw6j
6eMAmgLJS8tWjBE7C5gdW3TLRQTUeFU8
=9cUO
-----END PGP SIGNATURE-----