Yellow Dog Linux Security Announcement
--------------------------------------

Package:	fetchmail
Issue Date: 	October 20, 2002	
Priority:	high
Advisory ID: 	YDU-20021020-3


1. 	Topic:

	Updated fetchmail packages are available.


2. 	Problem:

	"Fetchmail is a remote mail retrieval and forwarding utility intended for
	use over on-demand TCP/IP links such as SLIP and PPP connections. Two bugs
	have been found in the header parsing code in versions of Fetchmail prior
	to 6.1.0.

	The first bug allows a remote attacker to crash Fetchmail by sending a
	carefully crafted DNS packet. The second bug allows a remote attacker to
	carefully craft an email in such a way that when it is parsed by Fetchmail
	a heap overflow occurs, allowing remote arbitrary code execution.

	Both of these bugs are only exploitable if Fetchmail is being used in
	multidrop mode (using the "multiple-local-recipients" feature).

	All users of Fetchmail are advised to upgrade to the errata packages
	containing a backported fix which is not vulnerable to these issues."
	(from Red Had advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install fetchmail

   	b) Updating manually...
	Download the updates below and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			ppc/fetchmail-5.9.0-20.2.3a.ppc.rpm
			ppc/fetchmailconf-5.9.0-20.2.3a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
5d119481e2103aaf6ec04a25cec9ecff  ppc/fetchmail-5.9.0-20.2.3a.ppc.rpm
6e17f5baa56c14bf4d1ac8ba3ae99d7f  ppc/fetchmailconf-5.9.0-20.2.3a.ppc.rpm
56daee414c4bf417a89331b40f043374  SRPMS/fetchmail-5.9.0-20.2.3a.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml