Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Jul 2021 21:47:11 +0000
From:      bugzilla-noreply@freebsd.org
To:        ports-bugs@FreeBSD.org
Subject:   [Bug 257480] mail/fetchmail: security update to 6.4.20
Message-ID:  <bug-257480-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257480

            Bug ID: 257480
           Summary: mail/fetchmail: security update to 6.4.20
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs@FreeBSD.org
          Reporter: mandree@FreeBSD.org
                CC: chalpin@cs.wisc.edu
                CC: chalpin@cs.wisc.edu
             Flags: maintainer-feedback?(chalpin@cs.wisc.edu)
             Flags: merge-quarterly?

Created attachment 226760
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D226760&action=
=3Dedit
/usr/ports update to take fetchmail to v6.4.20

Hi Corey,

please review and if possible approve of the attached port update to fetchm=
ail
v6.4.20 to address a security vulnerability in some configurations.

vuxml entry already committed (not yet rendered):
https://cgit.freebsd.org/ports/commit/?id=3Db913df304c485ba61fc981f7e633b96=
d4b3ea492

release notes:

---------------------------------------------------------------------------=
------
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):

# SECURITY FIX:=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
* When a log message exceeds c. 2 kByte in size, for instance, with very lo=
ng
  header contents, and depending on verbosity option, fetchmail can crash or
  misreport each first log message that requires a buffer reallocation.
  fetchmail then reallocates memory and re-runs vsnprintf() without another
  call to va_start(), so it reads garbage. The exact impact depends on
  many factors around the compiler and operating system configurations used=
 and
  the implementation details of the stdarg.h interfaces of the two functions
  mentioned before. To fix CVE-2021-38386.

  Reported by Christian Herdtweck of Intra2net AG, T=C3=BCbingen, Germany.
---------------------------------------------------------------------------=
------

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-257480-7788>