Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 16 Jun 2008 09:42:00 +0200
From: Matthias Andree <matthias.andree@....de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Id Request: fetchmail <= 6.3.8 DoS when
	logging long headers in -v -v mode

On Sun, 15 Jun 2008, Robert Buchholz wrote:

> Hi Matthias,
> 
> On Friday 13 June 2008, Matthias Andree wrote:
> > Affects:        fetchmail release < 6.3.9 exclusively
> >
> > Not affected:   fetchmail release 6.3.9 and newer
> >                 systems without varargs (stdargs.h) support.
> >
> > Corrected:      2008-06-13 fetchmail SVN (rev XXX)
> 
> Is there an ETA for the 6.3.9 release? The last advisory in 2007-09 also 
> recommended to upgrade to this still unreleased version.

You're right, but I'm sorry to say there is no estimated release date -
it's "as soon as it's ready", and the official patches are part of the
advisories, taken from the SVN repository - and beyond that are what
distributors usually ask for. fetchmail is, in spite of its widespread
use, effectively a one-man spare-time show.

Impeding the 6.3.9 release, there are some nasty bugs that aren't
security relevant which are pending the fix, but are hard to debug.

-- 
Matthias Andree

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.