Updated Fetchmail packages that close a number of vulnerabilities are available for Red Hat Linux on IBM iSeries and pSeries systems.
Fetchmail is a remote mail retrieval and forwarding utility intended for use over on-demand TCP/IP links such as SLIP and PPP connections. Three bugs have been found in the header parsing code in Fetchmail versions prior to 6.2.0: A heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses. Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via long headers that are not properly processed by the readheaders function, or via long Received: headers, which are not properly parsed by the parse_received function. The getmxrecord function in Fetchmail 6.0.0 and earlier does not properly check the boundary of a particular malformed DNS packet from a malicious DNS server, which allows remote attackers to cause a denial of service (crash) when Fetchmail attempts to read data beyond the expected boundary. All users of Fetchmail are advised to upgrade to the errata packages containing a backported fix, which is not vulnerable to these issues.