[Bug 257480] mail/fetchmail: security update to 6.4.20
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257480] mail/fetchmail: security update to 6.4.20"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257480] mail/fetchmail: security update to 6.4.20"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257480] mail/fetchmail: Update to 6.4.20 (security fix)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 28 Jul 2021 21:47:11 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257480 Bug ID: 257480 Summary: mail/fetchmail: security update to 6.4.20 Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt OS: Any Status: New Keywords: patch, security Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: mandree@FreeBSD.org CC: chalpin@cs.wisc.edu CC: chalpin@cs.wisc.edu Flags: maintainer-feedback?(chalpin@cs.wisc.edu) Flags: merge-quarterly? Created attachment 226760 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=226760&action=edit /usr/ports update to take fetchmail to v6.4.20 Hi Corey, please review and if possible approve of the attached port update to fetchmail v6.4.20 to address a security vulnerability in some configurations. vuxml entry already committed (not yet rendered): https://cgit.freebsd.org/ports/commit/?id=b913df304c485ba61fc981f7e633b96d4b3ea492 release notes: --------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- -- You are receiving this mail because: You are the assignee for the bug.