-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
mail-notification-SA-04:2.asc             Mail Notification Security Advisory

Module:		IMAP
Announced:	2004-10-06
Affects:	0.6.0, 0.6.1, 0.6.2
Corrected:	0.7.0

I.   Problem Description

Insufficient input validation in the IMAP code allows an out of
context continuation response to trigger a call to strcmp() with a
null pointer as first argument. On most platforms, this leads to a
null pointer dereference.

II.  Impact

The likely impact is a crash of the program. However, for this attack
to be possible, the attacker must first hijack the connection between
Mail Notification and the IMAP server.

III. Workaround

Do not monitor an IMAP mailbox. If you want to ensure that the faulty
code will not be used, reinstall Mail Notification using the following
commands:

$ ./configure --disable-imap
$ make
$ make install

IV.  Solution

Upgrade Mail Notification to version 0.7.0 or superior.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBZDPUyzD7UaO4AGoRAv0eAJ4h6gtc+mxYoA7HimMGjQQ4EoqkoACfQ1fT
184fZ9F1eX+4Udxcv8P0tSQ=
=Qv3C
-----END PGP SIGNATURE-----