-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
mail-notification-SA-04:1.asc             Mail Notification Security Advisory

Module:		POP3
Announced:	2004-10-06
Affects:	0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4
Corrected:	0.4.0

I.   Problem Description

Insufficient input validation in the POP3 code allows a malformed STAT
reply to overflow the stack.

II.  Impact

On most platforms, arbitrary code execution with the privileges of the
user running Mail Notification is believed to be possible. However,
for this attack to be possible, the attacker must first hijack the
connection between Mail Notification and the POP3 server.

III. Workaround

Do not monitor a POP3 mailbox. If you want to ensure that the faulty
code will not be used, reinstall Mail Notification using the following
commands:

$ ./configure --disable-pop3
$ make
$ make install

IV.  Solution

Upgrade Mail Notification to version 0.4.0 or superior.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBZDOxyzD7UaO4AGoRAo7OAJ4k9Ua/Vi3E77/yuHbZC156+w4czQCdGpda
oID2bKOuRBNrR+MNrXMeNqU=
=f3Ny
-----END PGP SIGNATURE-----