[Bug 257480] mail/fetchmail: security update to 6.4.20

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 28 Jul 2021 21:47:11 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257480

            Bug ID: 257480
           Summary: mail/fetchmail: security update to 6.4.20
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt
                OS: Any
            Status: New
          Keywords: patch, security
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs_at_FreeBSD.org
          Reporter: mandree_at_FreeBSD.org
                CC: chalpin_at_cs.wisc.edu
                CC: chalpin_at_cs.wisc.edu
             Flags: maintainer-feedback?(chalpin_at_cs.wisc.edu)
             Flags: merge-quarterly?

Created attachment 226760
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=226760&action=edit
/usr/ports update to take fetchmail to v6.4.20

Hi Corey,

please review and if possible approve of the attached port update to fetchmail
v6.4.20 to address a security vulnerability in some configurations.

vuxml entry already committed (not yet rendered):
https://cgit.freebsd.org/ports/commit/?id=b913df304c485ba61fc981f7e633b96d4b3ea492

release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):

# SECURITY FIX:                                                                 
* When a log message exceeds c. 2 kByte in size, for instance, with very long
  header contents, and depending on verbosity option, fetchmail can crash or
  misreport each first log message that requires a buffer reallocation.
  fetchmail then reallocates memory and re-runs vsnprintf() without another
  call to va_start(), so it reads garbage. The exact impact depends on
  many factors around the compiler and operating system configurations used and
  the implementation details of the stdarg.h interfaces of the two functions
  mentioned before. To fix CVE-2021-38386.

  Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany.
---------------------------------------------------------------------------------

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Wed Jul 28 2021 - 21:47:11 UTC

Original text of this message