Menu
▾
▴
[Fetchmail-announce] ANNOUNCE: The 6.4.20 release of fetchmail is available (security update CVE-2021-36386)
|
From: Matthias A. <mat...@gm...> - 2021-07-28 21:04:20
|
Greetings, The 6.4.20 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains an LMTP bug fix, updates fetchmailconf and the Serbian translation. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.20.tar.lz)= 497973353c0538216e7d7f2289a21d9acc5edd78f06d7ec008001f4f19e91b11 SHA256(fetchmail-6.4.20.tar.xz)= c82141ae2e8f0039ceb0c5c2eda43c5e93ad0bf7f9c6bb628092b3be74386176 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- Happy fetches, Matthias |
