Created by Artur Rona on 2010-04-02 and last modified on 2014-05-18
Get this branch:
bzr branch lp:~ari-tczew/ubuntu/dapper/fetchmail/fix-CVE-2008-2711
Only Artur Rona can upload to this branch. If you are Artur Rona please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Artur Rona

Recent revisions

12. By Artur Rona on 2010-04-02

* SECURITY UPDATE: Corrects a denial of service attack that can crash
  fetchmail when running in -v -v mode via malformed mail messages
  with long headers (LP: #240549)
  - debian/patches/07_fix_CVE-2008-2711_DoS.dpatch
  - CVE-2008-2711

11. By Kees Cook on 2009-08-11

* SECURITY UPDATE: SSL cert validation bypass via NULL bytes.
  - add 06_cert_0_byte.patch, thanks to Nico Golde.
  - CVE-2009-2666

10. By Jamie Strandboge on 2007-09-25

* SECURITY UPDATE: DoS via NULL pointer dereference when SMTP refuses to
  send certain warning messages
* added 05_CVE-2007-4565.dpatch to sink.c to verify msg is not NULL
* SECURITY UPDATE: Due to a design flaw in the APOP protocol, remote
  attackers may be able to acquire a portion of a user's authentication
  credentials using man-in-the-middle techniques.
* added 06_CVE-2007-1558.dpatch. This patch adds notes about APOP's
  limitations as well as updating pop3.c to more strictly validate the
  presented challenge for RFC-822 conformity. This change to pop3.c does
  not fix the APOP design flaw, but does make attacks against APOP somewhat
  more difficult.
* References

9. By Kees Cook on 2007-01-10

* SECURITY UPDATE: password can leak in cleartext when SSL configured.
* Add 'debian/patches/04.fix-cleartext-leak.dpatch': extracted from
* References

8. By Andrew Mitchell on 2006-03-29

* Install fetchmailconf files into /usr/lib/python2.4 rather than
  - Malone #31798

7. By Martin Pitt on 2006-02-07

* Resynchronise with Debian. This brings the new upstream version to dapper
  since upstream support for 6.2 was dropped.
* Drop debian/patches/CVE-2005-4348.dpatch, upstream now.

6. By Martin Pitt on 2006-01-02

* Add debian/patches/CVE-2005-4348.dpatch:
  - Fix double free crash on messages without any headers when using
    multidrop mode.
  - Fix backported from stable release.
  - CVE-2005-4348.

5. By Martin Pitt on 2005-11-17

Resynchronise with Debian.

4. By Scott James Remnant (Canonical) on 2005-08-18

Removed error message if /etc/fetchmailrc doesn't exist on startup,
which it won't on fresh installs. (Ubuntu #13044).

3. By Michael Vogt on 2004-12-20

Resynchronise with Debian.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.