On Fri, Aug 03, 2001 at 04:45:54AM +0200, antirez wrote:
Hi all,
Fetchmail has two security problems that an evil
server can use to run arbitrary code. I tested
it with fetchmail 5.8.15 and prior versions. DNS
forgery can help to exploit this problem without
to be really in the server, so it's better to fix
it ASAP. I can't release an advisory on bugtraq
before you fix it and release a new version, so
please contact me to get more information about
the issue.
I'll send technical description of the problem
on public lists (bugtraq) after 5 days without
a response from the fetchmail developers.
Consider this a response, since you didn't provide any
real information to respond to...
Please send details to Eric Raymond <esr(_at_)thyrsus(_dot_)com>.
If you like, I'm a security investigator and I did the SSL
patches to fetchmail. I would like to see the details as well. If
they are not related to the SSL areas of fetchmail, I may not be
involved in the fixes, but Eric certainly will be.
regards,
antirez
--
Salvatore Sanfilippo <antirez(_at_)invece(_dot_)org>
http://www.kyuzz.org/antirez
finger antirez(_at_)tella(_dot_)alicom(_dot_)com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF
Regards,
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw(_at_)WittsEnd(_dot_)com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!