fetchmail denial of service CVE-2008-2711

Trying to link this bug to CVE-2008-2711 (the web UI for that doesn't seem to work).

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2711

On Fri, Jun 20, 2008 at 03:18, Emanuele Gentili wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2711

I meant using the link "Link to CVE" in the Actions menu on the left
which adds an appropriate reference to this bug's metadata and makes
it findable in the Launchpad CVE tracker
<https://bugs.launchpad.net/bugs/cve>.

See bug 241435 in Launchpad.

Once a qa-regression-testing test has been written for this update, we can do the cross-release regression testing done, and get it published. Thanks!

debdiff retired for now.

Wrinting qa-regression-testing script for test upstream fix.

http://fetchmail.berlios.de/fetchmail-SA-2008-01.txt

Fetchmail official Advisory.

http://developer.berlios.de/patch/?func=detailpatch&patch_id=2492&group_id=1824

Here's a patch to correct this security bug in intrepid.

Grabbing to look at sponsoring for Intrepid.

Not Fix Committed. Soyuz ate the upload twice. Waiting to find out what to do ...

This bug was fixed in the package fetchmail - 6.3.8-11ubuntu3

---------------
fetchmail (6.3.8-11ubuntu3) intrepid; urgency=low

  * SECURITY FIX for CVE-2008-2711 (LP: #240549)
    - Corrects a denial of service attack that can crash fetchmail when
      running in -v -v mode via malformed mail messages with long headers
  * patches/06_fix_CVE-2008-2711_DoS.patch
    - corrects CVE-2008-2711

 -- Michael Casadevall <email address hidden> Tue, 21 Oct 2008 08:05:46 -0400

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Unsubscribing sponsors, as I see nothing ready to be sponsored here...
Please resubscribe sponsors when you have a debdiff or a branch ready for a given release ?

Dapper is ignored, so I'm closing the task.

Not a GUI app. Dapper is supported for another year.

According to http://www.openwall.com/lists/oss-security/2008/06/13/1, -vv is used for debugging only and is not used in non-interactive settings. This bug may be fixed in a future update of fetchmail, at which point the status will be updated. Marking "Won't Fix" for now.

To clarify:

Artur, thank you very much for your patch. This vulnerability is considered negligible so your patches don't qualify for a security update at this time. If/when a more serious vulnerability is found in fetchmail, your patch can be rolled into that update and this bug's status will be adjusted. Updates are not provided for very minor issues as any update can potentially create work for administrators and users (for testing before a rollout) as well as risk regression. The vulnerability must outweigh the risks of regression and time required by administrators.

Thanks again