[USN-816-1] fetchmail vulnerability
Kees Cook
kees at ubuntu.com
Tue Aug 18 15:48:41 UTC 2009
Hi Matthias,
On Tue, Aug 18, 2009 at 10:13:20AM +0200, Matthias Andree wrote:
> To the best of my knowledge, Marlinspike and Kaminsky have not investigated
> fetchmail (or if so, I haven't been contacted), so I believe it was I (as
> fetchmail's upstream maintainer) who investigated the software and found it
> vulnerable and fixed it.
Ah! I'm very sorry for missing this. Frequently when an upstream solves
security issues directly, it's harder to figure out who to credit with the
discovery. In this case I fell back to the discoverer of the class of
problem rather than saying "It was discovered ..."
> This isn't reason to issue a revised advisory, but I'd seek you to correct your
> archive and in case you have to issue a revised advisory for other reasons.
Absolutely! Thank you for calling attention to this, it is fixed in our
USN database[1] and CVE list[2].
Thanks!
-Kees
[1] http://www.ubuntu.com/usn/usn-816-1
[2] http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/annotate/head%3A/retired/CVE-2009-2666
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-users
mailing list