Menu
▾
▴
[Fetchmail-announce] ANNOUNCE: The 6.4.21 release of fetchmail is available (regression fix for --logfile from 6.4.20)
|
From: Matthias A. <mat...@gm...> - 2021-08-09 16:47:21
|
Greetings, The 6.4.21 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains the security fix for CVE-2021-36386 of 6.4.20, and fixes a regression/a bug that causes log message truncation/run-together prominently visible with --logfile that was introduced into 6.4.20. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.21.tar.lz)= 3abbe5f7bb003bdf3b8b71a2edd896fba55cbd3d19d59fe2ff8925fca4983af7 SHA256(fetchmail-6.4.21.tar.xz)= 6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): # REGRESSION FIX: * The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of messages logged to buffered outputs, predominantly --logfile. This also caused lines in the logfile to run into one another because the fragment containing the '\n' line-end character was usually lost. Reason is that on all modern systems (with <stdarg.h> header and vsnprintf() interface), the length of log message fragments was added up twice, so that these ended too deep into a freshly allocated buffer, after the '\0' byte. Unbuffered outputs flushed the fragments right away, which masked the bug. Reported by: Jürgen Edner, Erik Christiansen. -------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- Happy fetches, Matthias |
