Debian Bug report logs - #336096
[sarge] CVE-2005-3088 - password exposure in fetchmailconf

version graph

Package: fetchmail; Maintainer for fetchmail is Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>; Source for fetchmail is src:fetchmail.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 27 Oct 2005 19:33:13 UTC

Severity: normal

Tags: fixed-upstream, patch, sarge, security, upstream

Found in version fetchmail/6.2.5-18

Done: Nico Golde <nico@ngolde.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2005-3088: Insecure file creation in fetchmailconf may expose sensitive data
Date: Thu, 27 Oct 2005 21:26:46 +0200
Package: fetchmail
Version: 6.2.5-18
Severity: normal
Tags: security

A minor security problem has been found in fetchmailconf; insecure file
creation may expose sensitive data such as password information. Please
see http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt for details.

This has been assigned CVE-2005-3088, please mention so in the changelog
when fixing this.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages fetchmail depends on:
ii  adduser                       3.77       Add and remove users and groups
ii  base-files                    3.1.9      Debian base system miscellaneous f
ii  debianutils                   2.15       Miscellaneous utilities specific t
ii  libc6                         2.3.5-7    GNU C Library: Shared libraries an
ii  libssl0.9.7                   0.9.7g-5   SSL shared libraries

Versions of packages fetchmail recommends:
ii  ca-certificates               20050804   Common CA Certificates PEM files

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 336096@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: Moritz Muehlenhoff <jmm@inutil.org>, 336096@bugs.debian.org
Subject: Re: [pkg-fetchmail-maint] Bug#336096: CVE-2005-3088: Insecure file creation in fetchmailconf may expose sensitive data
Date: Fri, 28 Oct 2005 17:12:15 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Moritz Muehlenhoff <jmm@inutil.org> [2005-10-28 16:29]:
> Package: fetchmail
> Version: 6.2.5-18
> Severity: normal
> Tags: security
> 
> A minor security problem has been found in fetchmailconf; insecure file
> creation may expose sensitive data such as password information. Please
> see http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt for details.
> 
> This has been assigned CVE-2005-3088, please mention so in the changelog
> when fixing this.

Thanks. It will be fixed hopefully soon with the new upstream realease.
Regards Nico
-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Matthias Andree <matthias.andree@gmx.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 336096@bugs.debian.org (full text, mbox):

From: Matthias Andree <matthias.andree@gmx.de>
To: 336096@bugs.debian.org
Subject: bug followup CVE-2005-3088
Date: Sat, 29 Oct 2005 15:33:31 +0200
...as though you'd upload a new upstream release for "stable".

Please fix this in the 6.2.5 packages as well.

-- 
Matthias Andree



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 336096@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: Matthias Andree <matthias.andree@gmx.de>, 336096@bugs.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Sat, 29 Oct 2005 19:36:58 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Matthias Andree <matthias.andree@gmx.de> [2005-10-29 19:24]:
> ...as though you'd upload a new upstream release for "stable".
> 
> Please fix this in the 6.2.5 packages as well.

yes that was the plan ;)
i will provide a security update asap.
regards nico
-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
[Message part 2 (application/pgp-signature, inline)]

Tags added: upstream, fixed-upstream Request was from matthias.andree@gmx.de (Matthias Andree) to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 336096@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Nico Golde <nico@ngolde.de>
Cc: Matthias Andree <matthias.andree@gmx.de>, 336096@bugs.debian.org, control@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Mon, 14 Nov 2005 17:06:45 +0100
[Message part 1 (text/plain, inline)]
tags 336096 + patch pending
thanks

        Hi,

On Sat, Oct 29, 2005, Nico Golde wrote:
> i will provide a security update asap.

 It has been two weeks, unless you object, and if the security team
 acks the patch, I'll upload the attached changes.

   Bye,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"
[fetchmail_6.2.5-12sarge2.diff (text/plain, attachment)]

Tags added: patch, pending Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #34 received at 336096@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: Loic Minier <lool@dooz.org>
Cc: Matthias Andree <matthias.andree@gmx.de>, 336096@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Mon, 14 Nov 2005 17:32:01 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Loic Minier <lool@dooz.org> [2005-11-14 17:28]:
> tags 336096 + patch pending
> thanks
> 
>         Hi,
> 
> On Sat, Oct 29, 2005, Nico Golde wrote:
> > i will provide a security update asap.
> 
>  It has been two weeks, unless you object, and if the security team
>  acks the patch, I'll upload the attached changes.

Since I am very busy at the moment, yes feel free to upload.
I think it would be great to have you as co-maintainer so if 
you still are interrested, it would be finde if you join.
Regards Nico
-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
[Message part 2 (application/pgp-signature, inline)]

Information stored:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #39 received at 336096-quiet@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: team@security.debian.org
Subject: IMPORTANT: fetchmail regression in 6.2.5-12sarge1
Date: Mon, 14 Nov 2005 20:30:08 +0100
[Message part 1 (text/plain, inline)]
        Hi,

 While preparing a fix for CVE-2005-3088 (#336096), the Debian bugs
 #323027 and #327893 were brought to my attention.  It seems to me other
 quality fixes were included in the 6.2.5-12sarge1 version, basically
 including parts of the upstream "6.2.5.2" stable release and causing
 new bugs to appear; I believe this is far too much changes for a
 security upload.

 I attach "fetchmail_6.2.5-12sarge1.diff", the interdiff between
 6.2.5-12 and 6.2.5-12sarge1, for you to recheck you want to include it
 completely.  My understanding is that the patch in
 "fetchmail_CAN-2005-2335.diff" would have been enough for sarge1.

 Since I'm preparing sarge2, I propose I revert the changes of sarge1,
 except for "fetchmail_CAN-2005-2335.diff", and fix CVE-2005-3088 with
 the patch I've already sent you.  I can also prepare a stable upload
 based on sarge2 with more fixes (possibly all) from the stable upstream
 release 6.2.5.4.

 Please let me know rapidly whether this suits you.

   Cheers,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"
[fetchmail_CAN-2005-2335.diff (text/plain, attachment)]
[fetchmail_6.2.5-12sarge1.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #44 received at 336096@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Nico Golde <nico@ngolde.de>
Cc: Loic Minier <lool@dooz.org>, Matthias Andree <matthias.andree@gmx.de>, 336096@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Mon, 14 Nov 2005 20:54:15 +0100
Nico Golde wrote:
> Hi,
> * Loic Minier <lool@dooz.org> [2005-11-14 17:28]:
> > tags 336096 + patch pending
> > thanks
> > 
> >         Hi,
> > 
> > On Sat, Oct 29, 2005, Nico Golde wrote:
> > > i will provide a security update asap.
> > 
> >  It has been two weeks, unless you object, and if the security team
> >  acks the patch, I'll upload the attached changes.
> 
> Since I am very busy at the moment, yes feel free to upload.
> I think it would be great to have you as co-maintainer so if 
> you still are interrested, it would be finde if you join.

While you're at it, please mention the CVE name (CVE-2005-3088)
in the changelog and let me know which version in sid fixes
the problem.

Regards,

	Joey

-- 
No question is too silly to ask, but, of course, some are too silly
to answer.   -- Perl book

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #49 received at 336096@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Nico Golde <nico@ngolde.de>, Matthias Andree <matthias.andree@gmx.de>, 336096@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Tue, 15 Nov 2005 09:21:25 +0100
On Mon, Nov 14, 2005, Martin Schulze wrote:
> > Since I am very busy at the moment, yes feel free to upload.
> > I think it would be great to have you as co-maintainer so if 
> > you still are interrested, it would be finde if you join.
> While you're at it, please mention the CVE name (CVE-2005-3088)
> in the changelog and let me know which version in sid fixes
> the problem.

 I will upload the latest upstream stable release, 6.2.5.4, today; of
 course, both CVE ids will be mentionned and the relevant Debian bugs.

-- 
Loïc Minier <lool@dooz.org>



Reply sent to Loic Minier <lool@dooz.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #54 received at 336096-close@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: 336096-close@bugs.debian.org
Subject: Bug#336096: fixed in fetchmail 6.2.5.4-1
Date: Tue, 15 Nov 2005 10:17:36 -0800
Source: fetchmail
Source-Version: 6.2.5.4-1

We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive:

fetchmail-ssl_6.2.5.4-1_all.deb
  to pool/main/f/fetchmail/fetchmail-ssl_6.2.5.4-1_all.deb
fetchmail_6.2.5.4-1.diff.gz
  to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.diff.gz
fetchmail_6.2.5.4-1.dsc
  to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.dsc
fetchmail_6.2.5.4-1_i386.deb
  to pool/main/f/fetchmail/fetchmail_6.2.5.4-1_i386.deb
fetchmail_6.2.5.4.orig.tar.gz
  to pool/main/f/fetchmail/fetchmail_6.2.5.4.orig.tar.gz
fetchmailconf_6.2.5.4-1_all.deb
  to pool/main/f/fetchmail/fetchmailconf_6.2.5.4-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 336096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loic Minier <lool@dooz.org> (supplier of updated fetchmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Nov 2005 18:53:37 +0100
Source: fetchmail
Binary: fetchmailconf fetchmail-ssl fetchmail
Architecture: source i386 all
Version: 6.2.5.4-1
Distribution: unstable
Urgency: high
Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
Changed-By: Loic Minier <lool@dooz.org>
Description: 
 fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
 fetchmail-ssl - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
 fetchmailconf - fetchmail configurator
Closes: 288063 314509 321272 323637 330522 336096
Changes: 
 fetchmail (6.2.5.4-1) unstable; urgency=high
 .
   [ Lucas Wall ]
     - pidfile checking in init.d script (closes: #323637).
 .
   [ Nico Golde ]
     - Only create fetchmail user if it doesn't exist (closes: #330522,#321272).
     - respect the permissions of fetchmail home.
     - rebuild against latest openssl version.
     - removed deletion of /etc/fetchmailrc,
       see statement in BTS. (closes: #288063).
     - adjusted legal notes (Thanks Marc Brockschmidt for the hint).
 .
   [ Loic Minier ]
   * New upstream stable releases.
     - Fix password exposure in fetchmailconf: use umask 077 before opening
       output file and restore umask later. (Closes: #336096)
       This is CVE-2005-3088.
     - Drop 01pop3sec.dpatch, included upstream.
     - Fix IMAP timeouts, counting message count down on servers that do not
       send EXISTS counts after EXPUNGE. (Closes: #314509)
     - Unlist spanish translation patch for now, as the spanish translation was
       completely destroyed upstream.
   * Add myself to Uploaders.
Files: 
 6e5f306aed047dc28e87bf7651357ebe 858 mail optional fetchmail_6.2.5.4-1.dsc
 16af4db00e200445a55e6f7a9a267649 1275624 mail optional fetchmail_6.2.5.4.orig.tar.gz
 5b6d534009350e90a5fd0cfa432cf30e 79388 mail optional fetchmail_6.2.5.4-1.diff.gz
 93f0fb1c89dc716a7f28c874535faabf 104398 mail optional fetchmailconf_6.2.5.4-1_all.deb
 48c68a538716d9ab63db700f15f0dd1a 45070 mail optional fetchmail-ssl_6.2.5.4-1_all.deb
 68e50437e01725fccee667763ac2573e 290118 mail optional fetchmail_6.2.5.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDeiIJ4VUX8isJIMARAtgNAJoDdUQpIE08bCigJ/8jSW8TT1rh7wCfYCDb
SIKaKIeMQQ9TUY+Y0GKzY/Y=
=uedC
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #59 received at 336096@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Nico Golde <nico@ngolde.de>, 336096@bugs.debian.org
Subject: Re: Bug#336096: bug followup CVE-2005-3088
Date: Tue, 15 Nov 2005 19:25:11 +0100
On Tue, Nov 15, 2005, Loic Minier wrote:
>  I will upload the latest upstream stable release, 6.2.5.4, today; of
>  course, both CVE ids will be mentionned and the relevant Debian bugs.

 I uploaded it, it's available from:
    <http://people.dooz.org/~lool/debian/fetchmail/6.2.5.4-1/sid/>

 (And right now from incoming.)

   Cheers,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #64 received at 336096@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: 336096@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#336096: fixed in fetchmail 6.2.5.4-1
Date: Tue, 15 Nov 2005 20:43:03 +0100
reopen 336096
tags 336096 + sarge
retitle 336096 [sarge] CVE-2005-3088 - password exposure in fetchmailconf
tags 336096 + pending
thanks

On mar, nov 15, 2005, Loic Minier wrote:
> Source: fetchmail
> Source-Version: 6.2.5.4-1
> 
> We believe that the bug you reported is fixed in the latest version of
> fetchmail, which is due to be installed in the Debian FTP archive:
> 
> fetchmail-ssl_6.2.5.4-1_all.deb
>   to pool/main/f/fetchmail/fetchmail-ssl_6.2.5.4-1_all.deb
> fetchmail_6.2.5.4-1.diff.gz
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.diff.gz
> fetchmail_6.2.5.4-1.dsc
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1.dsc
> fetchmail_6.2.5.4-1_i386.deb
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4-1_i386.deb
> fetchmail_6.2.5.4.orig.tar.gz
>   to pool/main/f/fetchmail/fetchmail_6.2.5.4.orig.tar.gz
> fetchmailconf_6.2.5.4-1_all.deb
>   to pool/main/f/fetchmail/fetchmailconf_6.2.5.4-1_all.deb
> 
> 
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 336096@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Loic Minier <lool@dooz.org> (supplier of updated fetchmail package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster@debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Format: 1.7
> Date: Tue, 15 Nov 2005 18:53:37 +0100
> Source: fetchmail
> Binary: fetchmailconf fetchmail-ssl fetchmail
> Architecture: source i386 all
> Version: 6.2.5.4-1
> Distribution: unstable
> Urgency: high
> Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
> Changed-By: Loic Minier <lool@dooz.org>
> Description: 
>  fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
>  fetchmail-ssl - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
>  fetchmailconf - fetchmail configurator
> Closes: 288063 314509 321272 323637 330522 336096
> Changes: 
>  fetchmail (6.2.5.4-1) unstable; urgency=high
>  .
>    [ Lucas Wall ]
>      - pidfile checking in init.d script (closes: #323637).
>  .
>    [ Nico Golde ]
>      - Only create fetchmail user if it doesn't exist (closes: #330522,#321272).
>      - respect the permissions of fetchmail home.
>      - rebuild against latest openssl version.
>      - removed deletion of /etc/fetchmailrc,
>        see statement in BTS. (closes: #288063).
>      - adjusted legal notes (Thanks Marc Brockschmidt for the hint).
>  .
>    [ Loic Minier ]
>    * New upstream stable releases.
>      - Fix password exposure in fetchmailconf: use umask 077 before opening
>        output file and restore umask later. (Closes: #336096)
>        This is CVE-2005-3088.
>      - Drop 01pop3sec.dpatch, included upstream.
>      - Fix IMAP timeouts, counting message count down on servers that do not
>        send EXISTS counts after EXPUNGE. (Closes: #314509)
>      - Unlist spanish translation patch for now, as the spanish translation was
>        completely destroyed upstream.
>    * Add myself to Uploaders.
> Files: 
>  6e5f306aed047dc28e87bf7651357ebe 858 mail optional fetchmail_6.2.5.4-1.dsc
>  16af4db00e200445a55e6f7a9a267649 1275624 mail optional fetchmail_6.2.5.4.orig.tar.gz
>  5b6d534009350e90a5fd0cfa432cf30e 79388 mail optional fetchmail_6.2.5.4-1.diff.gz
>  93f0fb1c89dc716a7f28c874535faabf 104398 mail optional fetchmailconf_6.2.5.4-1_all.deb
>  48c68a538716d9ab63db700f15f0dd1a 45070 mail optional fetchmail-ssl_6.2.5.4-1_all.deb
>  68e50437e01725fccee667763ac2573e 290118 mail optional fetchmail_6.2.5.4-1_i386.deb
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> 
> iD8DBQFDeiIJ4VUX8isJIMARAtgNAJoDdUQpIE08bCigJ/8jSW8TT1rh7wCfYCDb
> SIKaKIeMQQ9TUY+Y0GKzY/Y=
> =uedC
> -----END PGP SIGNATURE-----
> 
> 
> 

-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Bug reopened, originator not changed. Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Christian Schoenebeck <cuse@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #77 received at 336096@bugs.debian.org (full text, mbox):

From: Christian Schoenebeck <cuse@users.sourceforge.net>
To: 336096@bugs.debian.org
Subject: dependency conflict with fetchmail-ssl
Date: Sun, 20 Nov 2005 13:16:56 +0100
Hi!

Please notice that fetchmail-ssl has to be updated as well in order of the 
latest security update! Currently fetchmail-common and fetchmailconf are kept 
back on systems where fetchmail-ssl is installed instead of fetchmail.

CU
Christian



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #82 received at 336096@bugs.debian.org (full text, mbox):

From: Loic Minier <lool@dooz.org>
To: Christian Schoenebeck <cuse@users.sourceforge.net>, 336096@bugs.debian.org
Subject: Re: [pkg-fetchmail-maint] Bug#336096: dependency conflict with fetchmail-ssl
Date: Mon, 21 Nov 2005 10:21:37 +0100
On Sun, Nov 20, 2005, Christian Schoenebeck wrote:
> Please notice that fetchmail-ssl has to be updated as well in order of the 
> latest security update! Currently fetchmail-common and fetchmailconf are kept 
> back on systems where fetchmail-ssl is installed instead of fetchmail.

 Can you please send a copy of your /etc/apt/sources.list?

   Thanks,
-- 
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS!    When do we want it? BRAINS!"



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#336096; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Christian Schoenebeck <cuse@users.sourceforge.net>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #87 received at 336096@bugs.debian.org (full text, mbox):

From: Christian Schoenebeck <cuse@users.sourceforge.net>
To: Loic Minier <lool@dooz.org>
Cc: 336096@bugs.debian.org
Subject: Re: [pkg-fetchmail-maint] Bug#336096: dependency conflict with fetchmail-ssl
Date: Mon, 21 Nov 2005 14:42:48 +0100
Am Montag, 21. November 2005 10:21 schrieb Loic Minier:
>  Can you please send a copy of your /etc/apt/sources.list?

That's a one liner:

deb http://security.debian.org woody/updates main contrib non-free

It's not upgraded to Sarge yet.

CU
Christian



Reply sent to Nico Golde <nico@ngolde.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #92 received at 336096-done@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: 336096-done@bugs.debian.org
Date: Fri, 13 Jan 2006 14:47:21 +0100
[Message part 1 (text/plain, inline)]
Hi,
I think this bug has been fixed with the latest upload of 
fetchmail-6.3.1-1.
Regards Nico

-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 22:25:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:44:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.