-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: buffer overflow in fetchmail
Advisory number: CSSA-2001-022.0
Issue date: 2001 June, 20
Cross reference:
______________________________________________________________________________
1. Problem Description
In previous versions of fetchmail, there were buffer overflows
when handling mail messages with very long header fields.
This hole could theoretically be exploited remotely by sending
messages with such headers.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
fetchmail-5.0.4-1
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder fetchmail-5.0.4-1
OpenLinux eDesktop 2.4 All packages previous to
fetchmail-5.2.0-2
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
62bbe7566a6eea7df05542c41f8024a9 RPMS/fetchmail-5.0.4-1.i386.rpm
05f3db8ec0bb7178d123af4e9761eee5 SRPMS/fetchmail-5.0.4-1.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv fetchmail*.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
bf8ed2912bdd5a0c6f5e5d50db552c29 RPMS/fetchmail-5.0.4-1.i386.rpm
05f3db8ec0bb7178d123af4e9761eee5 SRPMS/fetchmail-5.0.4-1.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh fetchmail*i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
2d278844840df47146795ae11e638493 RPMS/fetchmail-5.2.0-2.i386.rpm
85c4c3f805db47041681665f8beb3986 SRPMS/fetchmail-5.2.0-2.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh fetchmail*i386.rpm
7. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 10115.
8. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7MK8o18sy83A/qfwRAqdNAJ9gjO/Is2CkANmQ4SWQ4lq+lWok5gCgoVPh
acKdO2CLkZzICeYQKNcK30s=
=W/if
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 19:01:45 PDT