Yellow Dog Linux Security Advisory: YDU-20020522-2

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Wed, 22 May 2002 16:09:21 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	fetchmail	
Issue Date: 	May 22, 2002	
Priority:	high		
Advisory ID: 	YDU-20020522-2


1. 	Topic:

	Updated fetchmail packages are available.


2. 	Problem:

	Updated package are available which close a
	remotely-exploitable vulnerability in unpatched versions of
	fetchmail prior to 5.9.10.

	"When retrieving mail from an IMAP server, the fetchmail e-mail
	client will allocate an array to store the sizes of the messages
	which it will attempt to fetch. The size of the array is
	determined by the number of messages that the server claims to
	have. Unpatched versions of fetchmail prior to 5.9.10 did not check
	whether the number of e-mails the server claimed was too high, allowing
	a malicious server to cause the fetchmail process to write data outside
	of the array bounds.

	Users of fetchmail are advised to upgrade to this errata package which is
	not vulnerable to this issue.

	The Common Vulnerabilities and Exposures project (cve.mitre.org) has
	assigned the name CAN-2002-0146 to this issue."
	(from Red Hat advisory)


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

		yup update fetchmail 

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ppc/
		rpm -Fvh fetchmail-5.9.0-11.ppc.rpm
		rpm -Fvh fetchmailconf-5.9.0-11.ppc.rpm	

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
a28f0d4933a6e3db9a35fb25f9a0db84  ppc/fetchmail-5.9.0-11.ppc.rpm
ca62d091151ced4d1ab965a72f132dd1  ppc/fetchmailconf-5.9.0-11.ppc.rpm
9a6a507ff94fae0f357bb4f706721682  SRPMS/fetchmail-5.9.0-11.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml