Hello community, here is the log from the commit of package fetchmail checked in at Wed Oct 3 17:00:42 CEST 2007. -------- --- fetchmail/fetchmail.changes 2007-09-11 15:15:27.000000000 +0200 +++ /mounts/work_src_done/STABLE/fetchmail/fetchmail.changes 2007-09-27 20:54:53.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Sep 27 20:50:39 CEST 2007 - pcerny@suse.de + +- Fix for DoS vulnerability (#308271 CVE-2007-4565) +- Do not remove messages if SMTP insists on TLS (#246829) + [fetchmail-6.3.8-starttls.patch] + +------------------------------------------------------------------- New: ---- fetchmail-6.3.8-CVE-2007-4565.patch fetchmail-6.3.8-starttls.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fetchmail.spec ++++++ --- /var/tmp/diff_new_pack.T21345/_old 2007-10-03 16:59:47.000000000 +0200 +++ /var/tmp/diff_new_pack.T21345/_new 2007-10-03 16:59:47.000000000 +0200 @@ -12,17 +12,19 @@ Name: fetchmail BuildRequires: dante-devel ed krb5-devel openssl-devel opie postfix procmail pwdutils python-devel -License: GPL v2 or later, Other uncritical OpenSource License, GPL, InnerNet Version 2 license (with the advertising clause removed for GPL compatibility), public-domain +License: GPL v2 or later; Other uncritical OpenSource License; Public Domain, Freeware Group: Productivity/Networking/Email/Utilities -Autoreqprov: on +AutoReqProv: on Version: 6.3.8 -Release: 51 +Release: 58 Source: %{name}-%{version}.tar.bz2 Source1: %{name}.init Source2: %{name}.logrotate Source3: sysconfig.%{name} +Patch0: fetchmail-6.3.8-CVE-2007-4565.patch +Patch1: fetchmail-6.3.8-starttls.patch PreReq: %insserv_prereq %fillup_prereq coreutils -URL: http://www.fetchmail.info/ +Url: http://www.fetchmail.info/ Icon: fetchmail.xpm Requires: smtp_daemon Provides: pop:/usr/bin/fetchmail @@ -55,7 +57,6 @@ Summary: Fetchmail Configuration Utility Group: Productivity/Networking/Email/Utilities Requires: %{name} = %{version} python-tk - %py_requires %description -n fetchmailconf @@ -74,6 +75,8 @@ %prep %setup -q +%patch0 +%patch1 -p1 cp -a %{S:1} %{S:2} %{S:3} . %build @@ -154,8 +157,11 @@ %{_bindir}/fetchmailconf %doc %{_mandir}/man1/fetchmailconf.1.gz %{py_sitedir}/fetchmailconf.* - %changelog +* Thu Sep 27 2007 - pcerny@suse.de +- Fix for DoS vulnerability (#308271 CVE-2007-4565) +- Do not remove messages if SMTP insists on TLS (#246829) + [fetchmail-6.3.8-starttls.patch] * Tue Sep 11 2007 - ro@suse.de - remove librsaref2-devel from buildrequires (unused) * Fri Aug 31 2007 - pcerny@suse.cz ++++++ fetchmail-6.3.8-CVE-2007-4565.patch ++++++ --- sink.c +++ sink.c @@ -262,7 +262,7 @@ const char *md1 = "MAILER-DAEMON", *md2 = "MAILER-DAEMON@"; /* don't bounce in reply to undeliverable bounces */ - if (!msg->return_path[0] || + if (!msg || !msg->return_path[0] || strcmp(msg->return_path, "<>") == 0 || strcasecmp(msg->return_path, md1) == 0 || strncasecmp(msg->return_path, md2, strlen(md2)) == 0) ++++++ fetchmail-6.3.8-starttls.patch ++++++ # Patches fetchmail's behaviour for SMTP servers which insist # on using TLS - we do not want messages which cannot be # sent due to server negotiation problems lost - rather we # keep them on the mailserver. As users should realize rather # quickly that something went wrong, the overhead shouldn't # be considered that important. --- fetchmail-6.3.8.orig/sink.c 2007-03-30 00:45:17.000000000 +0200 +++ fetchmail-6.3.8.new/sink.c 2007-09-25 17:37:49.332165910 +0200 @@ -535,7 +535,19 @@ free(responses[0]); return(PS_REFUSED); - default: + case 530: /* must issue STARTTLS error */ + /* + * Some SMTP servers insist on encrypted communication + * Let's set PS_TRANSIENT, otherwise all messages to be sent + * over such server would be blackholed + */ + free(responses[0]); + if (outlevel > O_SILENT) + report_complete(stdout, + GT_(" SMTP server requires STARTTLS, keeping message.\n")); + return(PS_TRANSIENT); + + default: /* bounce non-transient errors back to the sender */ if (smtperr >= 500 && smtperr <= 599) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org