Hi all,
Fetchmail has two security problems that an evil
server can use to run arbitrary code. I tested
it with fetchmail 5.8.15 and prior versions. DNS
forgery can help to exploit this problem without
to be really in the server, so it's better to fix
it ASAP. I can't release an advisory on bugtraq
before you fix it and release a new version, so
please contact me to get more information about
the issue.
I'll send technical description of the problem
on public lists (bugtraq) after 5 days without
a response from the fetchmail developers.
regards,
antirez
--
Salvatore Sanfilippo <antirez(_at_)invece(_dot_)org>
http://www.kyuzz.org/antirez
finger antirez(_at_)tella(_dot_)alicom(_dot_)com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF