Please review: New vuln.xml entry for ports/mail/fetchmail
Simon Barner
barner at FreeBSD.org
Sun Oct 30 19:46:15 UTC 2005
Dear doc@,
could you please review the attached patch?
--
Best regards / Viele Grüße, barner at FreeBSD.org
Simon Barner barner at gmx.de
-------------- next part --------------
Index: vuln.xml
===================================================================
RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v
retrieving revision 1.868
diff -u -r1.868 vuln.xml
--- vuln.xml 27 Oct 2005 19:40:24 -0000 1.868
+++ vuln.xml 30 Oct 2005 19:47:37 -0000
@@ -34,6 +34,36 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="baf74e0b-497a-11da-a4f4-0060084a00e5">
+ <topic>fetchmailconf -- password exposure through insecure file creation</topic>
+ <affects>
+ <package>
+ <name>fetchmail</name>
+ <range><lt>6.2.5.2_1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>From the fetchmail home page:</p>
+ <blockquote cite="http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt">
+ <p>The fetchmailconf program before and excluding version 1.49 opened the
+ run control file, wrote the configuration to it, and only then changed
+ the mode to 0600 (rw-------). Writing the file, which usually contains
+ passwords, before making it unreadable to other users, can expose
+ sensitive password information.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2005-3088</cvename>
+ <url>http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt</url>
+ </references>
+ <dates>
+ <discovery>2005-10-21</discovery>
+ <entry>2005-10-30</entry>
+ </dates>
+ </vuln>
+
<vuln vid="1daea60a-4719-11da-b5c6-0004614cc33d">
<topic>ruby -- vulnerability in the safe level settings</topic>
<affects>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20051030/dcf9afc7/attachment.sig>
More information about the freebsd-doc
mailing list