Date: Sun, 30 Oct 2005 20:50:07 +0100 From: Simon Barner <barner@FreeBSD.org> To: doc@FreeBSD.org Subject: Please review: New vuln.xml entry for ports/mail/fetchmail Message-ID: <20051030195007.GB1451@zi025.glhnet.mhn.de>
next in thread | raw e-mail | index | archive | help
--T7mxYSe680VjQnyC Content-Type: multipart/mixed; boundary="z4+8/lEcDcG5Ke9S" Content-Disposition: inline --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear doc@, could you please review the attached patch? --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vuln.xml.diff-fetchmailconf" Content-Transfer-Encoding: quoted-printable Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.868 diff -u -r1.868 vuln.xml --- vuln.xml 27 Oct 2005 19:40:24 -0000 1.868 +++ vuln.xml 30 Oct 2005 19:47:37 -0000 @@ -34,6 +34,36 @@ =20 --> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; + <vuln vid=3D"baf74e0b-497a-11da-a4f4-0060084a00e5"> + <topic>fetchmailconf -- password exposure through insecure file creati= on</topic> + <affects> + <package> + <name>fetchmail</name> + <range><lt>6.2.5.2_1</lt></range> + </package> + </affects> + <description>=20 + <body xmlns=3D"http://www.w3.org/1999/xhtml">; + <p>From the fetchmail home page:</p> + <blockquote cite=3D"http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt">; + <p>The fetchmailconf program before and excluding version 1.49 opened t= he + run control file, wrote the configuration to it, and only then changed + the mode to 0600 (rw-------). Writing the file, which usually contains + passwords, before making it unreadable to other users, can expose + sensitive password information.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2005-3088</cvename> + <url>http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt</url>; + </references> + <dates> + <discovery>2005-10-21</discovery> + <entry>2005-10-30</entry> + </dates> + </vuln> + =20 <vuln vid=3D"1daea60a-4719-11da-b5c6-0004614cc33d"> <topic>ruby -- vulnerability in the safe level settings</topic> <affects> --z4+8/lEcDcG5Ke9S-- --T7mxYSe680VjQnyC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDZSPvCkn+/eutqCoRAq1hAKDyYlEQjGhDnb1lQ3U9+Zg3IE+gfwCg4cQv 5F0rEeQhzusIIvGMKOYB/AQ= =3GQE -----END PGP SIGNATURE----- --T7mxYSe680VjQnyC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051030195007.GB1451>