2009年8月 7日

[installer 2030] fetchmail-6.3.11

fetchmail-6.3.11 出ています。

セキュリティホールの修正版です。
http://www.fetchmail.info/fetchmail-SA-2009-01.txt
参照。

☆ fetchmail-6.3.11
http://www.fetchmail.info/

http://developer.berlios.de/project/showfiles.php?group_id=1824
http://download.berlios.de/fetchmail/fetchmail-6.3.11.tar.bz2

fetchmail 6.3.11 (released 2009-08-06):

# SECURITY BUGFIXES
* CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a
part of a X.509 certificate's CommonName and subjectAltName fields. These
fields use opaque strings with a separate length field, so that the NUL
character isn't a special character inside the certificate. Fetchmail, being
written in the C language, used to treat these strings as C strings
nonetheless, so that the domain comparison would end at the first embedded NUL
character, rather than at the real end of the string.
Fetchmail will now abort certificate verification as failed if NULs are
encountered inside either of these fields regardless of their position, and
drop the connection even if --sslcertck is not used, because NUL is not a
valid character in legitimate DNS names.
See fetchmail-SA-2009-01.txt for details, including a minimal patch.

# BUGFIXES
* Remove the spurious message "message delimiter found while scanning headers".
RFC-5322 syntax states that the delimiter is part of the body, and the body is
optional.
* Convert all non-printable characters in certificate Subject/Issuer
Common Name or Subject Alternative Name fields to ANSI-C hex escapes (\xnn,
where nn are hex digits).

# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
* [zh_CN] Chinese/Simplified (Ji ZhengYu)
* [es] Spanish/Castilian (Francisco Molinero)

----
こがよういちろう


投稿者 xml-rpc : 2009年8月 7日 10:51
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/87330
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。