Debian Security Advisory DSA 071-1 (fetchmail)

The remote host is missing an update to fetchmail announced via advisory DSA 071-1.
Salvatore Sanfilippo found two remotely exploitable problems in fetchmail while doing a security audit. In both the imap and pop3 code the input is not verified and used to store a number in an array. Since no bounds checking is done this can be used by an attacker to write arbitrary data in memory. An attacker can use this if we can get a user to transfer mail from a custom imap or pop3 server he controls. This has been fixed in version 5.3.3-3.