From owner-freebsd-doc@FreeBSD.ORG Sun Oct 30 19:46:15 2005 Return-Path: X-Original-To: doc@FreeBSD.org Delivered-To: freebsd-doc@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77C5C16A41F for ; Sun, 30 Oct 2005 19:46:15 +0000 (GMT) (envelope-from barner@gmx.de) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id A55F343D45 for ; Sun, 30 Oct 2005 19:46:14 +0000 (GMT) (envelope-from barner@gmx.de) Received: (qmail invoked by alias); 30 Oct 2005 19:46:13 -0000 Received: from unknown (EHLO zi025.glhnet.mhn.de) [129.187.19.157] by mail.gmx.net (mp020) with SMTP; 30 Oct 2005 20:46:13 +0100 X-Authenticated: #147403 Received: by zi025.glhnet.mhn.de (Postfix, from userid 1000) id 9DD78C130; Sun, 30 Oct 2005 20:50:07 +0100 (CET) Date: Sun, 30 Oct 2005 20:50:07 +0100 From: Simon Barner To: doc@FreeBSD.org Message-ID: <20051030195007.GB1451@zi025.glhnet.mhn.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T7mxYSe680VjQnyC" Content-Disposition: inline User-Agent: Mutt/1.5.10i X-Y-GMX-Trusted: 0 Cc: Subject: Please review: New vuln.xml entry for ports/mail/fetchmail X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2005 19:46:15 -0000 --T7mxYSe680VjQnyC Content-Type: multipart/mixed; boundary="z4+8/lEcDcG5Ke9S" Content-Disposition: inline --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dear doc@, could you please review the attached patch? --=20 Best regards / Viele Gr=FC=DFe, barner@FreeBSD.= org Simon Barner barner@gmx.de --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vuln.xml.diff-fetchmailconf" Content-Transfer-Encoding: quoted-printable Index: vuln.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v retrieving revision 1.868 diff -u -r1.868 vuln.xml --- vuln.xml 27 Oct 2005 19:40:24 -0000 1.868 +++ vuln.xml 30 Oct 2005 19:47:37 -0000 @@ -34,6 +34,36 @@ =20 --> + + fetchmailconf -- password exposure through insecure file creati= on + + + fetchmail + 6.2.5.2_1 + + + =20 + +

From the fetchmail home page:

+
+

The fetchmailconf program before and excluding version 1.49 opened t= he + run control file, wrote the configuration to it, and only then changed + the mode to 0600 (rw-------). Writing the file, which usually contains + passwords, before making it unreadable to other users, can expose + sensitive password information.

+
+ + + + CVE-2005-3088 + http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt + + + 2005-10-21 + 2005-10-30 + + + =20 ruby -- vulnerability in the safe level settings --z4+8/lEcDcG5Ke9S-- --T7mxYSe680VjQnyC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDZSPvCkn+/eutqCoRAq1hAKDyYlEQjGhDnb1lQ3U9+Zg3IE+gfwCg4cQv 5F0rEeQhzusIIvGMKOYB/AQ= =3GQE -----END PGP SIGNATURE----- --T7mxYSe680VjQnyC--