oss-security - Re: CVE Id Request: fetchmail <= 6.3.8 DoS when logging long headers in -v -v mode

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 16 Jun 2008 09:42:00 +0200
From: Matthias Andree <matthias.andree@....de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Id Request: fetchmail <= 6.3.8 DoS when
	logging long headers in -v -v mode

On Sun, 15 Jun 2008, Robert Buchholz wrote:

> Hi Matthias,
> 
> On Friday 13 June 2008, Matthias Andree wrote:
> > Affects:        fetchmail release < 6.3.9 exclusively
> >
> > Not affected:   fetchmail release 6.3.9 and newer
> >                 systems without varargs (stdargs.h) support.
> >
> > Corrected:      2008-06-13 fetchmail SVN (rev XXX)
> 
> Is there an ETA for the 6.3.9 release? The last advisory in 2007-09 also 
> recommended to upgrade to this still unreleased version.

You're right, but I'm sorry to say there is no estimated release date -
it's "as soon as it's ready", and the official patches are part of the
advisories, taken from the SVN repository - and beyond that are what
distributors usually ask for. fetchmail is, in spite of its widespread
use, effectively a one-man spare-time show.

Impeding the 6.3.9 release, there are some nasty bugs that aren't
security relevant which are pending the fix, but are hard to debug.

-- 
Matthias Andree

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.