[SECURITY] [DSA 216-1] New fetchmail packages fix buffer overflow

[Martin Schulze]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 216-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
December 24th, 2002 http://www.debian.org/security/faq
- --

Package: fetchmail
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE Id : CAN-2002-1365 (confirmed)

Stefan Esser of e-matters discovered a buffer overflow in fetchmail,
an SSL enabled POP3, APOP and IMAP mail gatherer/forwarder.  When
fetchmail retrieves a mail all headers that contain addresses are
searched for local addresses.  If a hostname is missing, fetchmail
appends it but doesn't reserve enough space for it.  This heap
overflow can be used by remote attackers to crash it or to execute
arbitrary code with the privileges of the user running fetchmail.

For the current stable distribution (woody) this problem has been
fixed in version 5.9.11-6.2 of fetchmail and fetchmail-ssl.

For the old stable distribution (potato) this problem has been fixed
in version 5.3.3-4.3.

For the current unstable distribution (sid) this problem has been
fixed in version 6.2.0-1 of fetchmail and fetchmail-ssl.

We recommend that you upgrade your fetchmail packages.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- -

  Source archives:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.dsc
  Size/MD5 checksum:  566 a1903624c0ec3bd32511423932643072

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3.diff.gz
  Size/MD5 checksum:27949 ba53d0ca7f33019f8aa377359adf1212

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3.orig.tar.gz
  Size/MD5 checksum:   755731 d2cffc4594ec2d36db6681b800f25e2a

  Architecture independent components:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_5.3.3-4.3_all.deb
  Size/MD5 checksum:63344 eeb78fb002b7cec35d21f782123638c5

  Alpha architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_alpha.deb
  Size/MD5 checksum:   371692 f59ce881bc67072165a43c935d1c555b

  ARM architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_arm.deb
  Size/MD5 checksum:   349562 7f3512eed908f266268a5c92be1d2fd8

  Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_i386.deb
  Size/MD5 checksum:   342328 51380d2821f2837a7aaf3f14850fce83

  Motorola 680x0 architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_m68k.deb
  Size/MD5 checksum:   336626 0fc917ae77fae36202be9db505de495e

  PowerPC architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_powerpc.deb
  Size/MD5 checksum:   350320 e3d5dbe15acefa05a6c7cbfdada1bf2a

  Sun Sparc architecture:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.3.3-4.3_sparc.deb
  Size/MD5 checksum:   328084 1f5bc0689d1c1c86f81d022a53e9cff9


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.dsc
  Size/MD5 checksum:  712 7dd3621fe339460971cc328484b0e279

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11-6.2.diff.gz
  Size/MD5 checksum:   300336 7503a6bbf5020b118c0061586e16822a

http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_5.9.11.orig.tar.gz
  Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd


http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.dsc
  Size/MD5 checksum:  707 69a8e2fa290af062b9740943d26df507

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11-6.2.diff.gz
  Size/MD5 checksum:   296112 e4ecdeddc8bffa9a54f386ab449485fe

http://security.debian.org/pool/updates/main/f/fetchmail-ssl/fetchmail-ssl_5.9.11.orig.tar.gz
  Size/MD5 checksum:   950273 fff00cbf7be1d01a17605fee23ac96dd

  Architecture independent components:


http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-common_5.9.11-6.2_all.deb
  Size/MD5 checksum:   165338 fd022003903f569d077e36faf5ad2a21

binding samba to specific interface...

[Kaddik]

Is it possible to specify the interface that samba should listen on?
I'm I missing something, or is package-dropping in iptables the
only method? I'm using woody w 2.4.18 kernel..

/Oerjan


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: binding samba to specific interface...

[Rolf Kutz]

* Quoting Kaddik ([EMAIL PROTECTED]):

 Is it possible to specify the interface that samba should listen on?
 I'm I missing something, or is package-dropping in iptables the
 only method? I'm using woody w 2.4.18 kernel..

'bind interfaces only' in smb.conf

But you should do source checking with iptables.

- rk

-- 
Ahahahahaha! Ahahahaha! Aahahaha!
BEWARE!
Yrs sincerely
The Opera Ghost


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Pop mail virtual user security [LONG]

[Tim van Erven]

On Sat, 07/12/2002 06:54 +0100, Tim van Erven wrote:
 Inspired by a recent thread on this list I decided to set up a
 mailserver with pop3 access over ssl. 

I've written a simple perl script to add users to my popa3d config. It's
available[1] if anyone thinks they have any use for it.

Tim

PS. Sorry for bringing up this old thread again.

1. http://gene.wins.uva.nl/~talerven/software/

-- 
Tim van Erven [EMAIL PROTECTED]
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
 BBF8 6310 D557 712C B811


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

binding samba to specific interface...

[Kaddik]

Is it possible to specify the interface that samba should listen on?
I'm I missing something, or is package-dropping in iptables the
only method? I'm using woody w 2.4.18 kernel..

/Oerjan

Re: binding samba to specific interface...

[Mike Hommey]

On Wednesday 25 December 2002 00:40, Kaddik wrote:
 Is it possible to specify the interface that samba should listen on?
 I'm I missing something, or is package-dropping in iptables the
 only method? I'm using woody w 2.4.18 kernel..

 /Oerjan

add 
socket address = your.interface.ip.address
to your smb.conf

-- 
Mike Hommey [EMAIL PROTECTED]
Je crois au moment, et s'il n'y a pas le moment à ce moment là, il faut
 arriver à ce moment là au moment qu'on veut. -- Jean-Claude Vandamme

Re: Pop mail virtual user security [LONG]

[Tim van Erven]

On Sat, 07/12/2002 06:54 +0100, Tim van Erven wrote:
 Inspired by a recent thread on this list I decided to set up a
 mailserver with pop3 access over ssl. 

I've written a simple perl script to add users to my popa3d config. It's
available[1] if anyone thinks they have any use for it.

Tim

PS. Sorry for bringing up this old thread again.

1. http://gene.wins.uva.nl/~talerven/software/

-- 
Tim van Erven [EMAIL PROTECTED]
OpenPGP Key ID: 712CB811Fingerprint: F6C9 61EE 242C C012 36D5
 BBF8 6310 D557 712C B811