bugzilla@redhat.com writes: > Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, > 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched > versions of fetchmail prior to 5.9.10. It appears that this vulnerability is caused by some alloca() implementations which do not return zero if the caller requests more memory than which is available. Red Hat's patch does not address the root of the problem by fixing alloca() (a problem which might be of more generic nature and could well be present in other software as well), but it bounds the requested memory by something which appears to be a rather arbitrary constant. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
