Fetchmail Remote Denial of Service Vulnerability

Bugtraq ID:	21902
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2006-5974
Remote:	Yes
Local:	No
Published:	Jan 06 2007 12:00AM
Updated:	Mar 22 2007 08:33PM
Credit:	Matthias Andree reported these issues.
Vulnerable:	Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE Linux 9.3 SuSE Linux 9.2 SuSE Linux 9.1 SuSE Linux 10.1 SuSE Linux 10.0 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux 11.0 Redhat Fedora Core6 Redhat Fedora Core5 OpenPKG OpenPKG Stable OpenPKG OpenPKG E1.0-Solid OpenPKG OpenPKG Current OpenPKG OpenPKG 2-Stable-20061018 Gentoo Linux Eric Raymond Fetchmail 6.3.6 -rc2 Eric Raymond Fetchmail 6.3.6 -rc1 Eric Raymond Fetchmail 6.3.5
Not Vulnerable:	Eric Raymond Fetchmail 6.3.6

Fetchmail Remote Denial of Service Vulnerability

Fetchmail is prone to a denial-of-service vulnerability because the application fails to handle exceptional conditions.

An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

Fetchmail Remote Denial of Service Vulnerability

An attacker may trigger this issue by constructing a specially crafted email message and sending this message using the 'mda' option.

Fetchmail Remote Denial of Service Vulnerability

Solution:
The vendor has released an update to address this issue. Please see the references for more information.


Eric Raymond Fetchmail 6.3.5

• Fetchmail Fetchmail 6.3.6
  http://developer.berlios.de/project/showfiles.php?group_id=1824

Fetchmail Remote Denial of Service Vulnerability

References:

• Fetchmail 6.3.6 Release Notes (BerilOS)
  
• Fetchmail Home Page (Fetchmail)
  
• fetchmail crashes when refusing a message bound for an MDA (Matthias Andree)