From nobody Wed Jul 28 21:47:11 2021 X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EA88412B82F9 for ; Wed, 28 Jul 2021 21:47:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GZnLl6Fdtz3m9H for ; Wed, 28 Jul 2021 21:47:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BBEA7258A4 for ; Wed, 28 Jul 2021 21:47:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 16SLlBPB095169 for ; Wed, 28 Jul 2021 21:47:11 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 16SLlBj7095168 for ports-bugs@FreeBSD.org; Wed, 28 Jul 2021 21:47:11 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 257480] mail/fetchmail: security update to 6.4.20 Date: Wed, 28 Jul 2021 21:47:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: patch, security X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: mandree@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform bug_file_loc op_sys bug_status keywords bug_severity priority component assigned_to reporter cc flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Ports bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ports-bugs@freebsd.org X-BeenThere: freebsd-ports-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D257480 Bug ID: 257480 Summary: mail/fetchmail: security update to 6.4.20 Product: Ports & Packages Version: Latest Hardware: Any URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt OS: Any Status: New Keywords: patch, security Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: mandree@FreeBSD.org CC: chalpin@cs.wisc.edu CC: chalpin@cs.wisc.edu Flags: maintainer-feedback?(chalpin@cs.wisc.edu) Flags: merge-quarterly? Created attachment 226760 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D226760&action= =3Dedit /usr/ports update to take fetchmail to v6.4.20 Hi Corey, please review and if possible approve of the attached port update to fetchm= ail v6.4.20 to address a security vulnerability in some configurations. vuxml entry already committed (not yet rendered): https://cgit.freebsd.org/ports/commit/?id=3Db913df304c485ba61fc981f7e633b96= d4b3ea492 release notes: ---------------------------------------------------------------------------= ------ fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX:=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 * When a log message exceeds c. 2 kByte in size, for instance, with very lo= ng header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used= and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, T=C3=BCbingen, Germany. ---------------------------------------------------------------------------= ------ --=20 You are receiving this mail because: You are the assignee for the bug.=