The following vulnerabilities apply to all releases of getmail prior to 3.2.5, and all version 4 releases prior to 4.2.0. They do not apply where getmail is run as an unprivileged user, or where an unprivileged external MDA is used for the final delivery of mail. They are not exploitable remotely. Although it is not the recommended mode of operation, by being run as root, getmail is able give users ownership of the files containing their new mail. However, the built-in mail delivery code was not suitable for use as root in the presence of hostile local users. It had the following vulnerabilities: Mbox delivery (version 4 releases prior to 4.2.0): Attacker replacing an mbox file with a symbolic link can have mail delivered (as root) into a new mbox file with a name and path of their choosing. Successful exploitation of a race condition allows existing files to be overwritten. The files are given 600 permissions and the same owner/group as the directory containing the mbox delivery point. Maildir delivery (version 4 releases prior to 4.2.0, all releases prior to 3.2.5): Attacker replacing subdirectories of a maildir with suitable symbolic links can have mail delivered into an arbitrary directory. Filenames cannot be chosen by the attacker, but successful exploitation of a race condition can allow arbitrary file contents to be substituted for mail. The files are given 600 permissions and the same owner/group as the maildir. Both sets of vulnerabilities may be exploited to have arbitrary commands executed as root. Workaround: Do not run getmail as a privileged user; or, in version 4, use an external MDA with explicitly configured user and group privileges. Fix: Versions 3.2.5 and 4.2.0 are now available at: http://www.qcc.ca/~charlesc/software/getmail-4/ Version 3.2.5 just enforces the workaround. Version 4.2.0 solves the problem by dropping privileges to those of an explicitly configured user before delivering mail, as was already done for delivery by external MDAs. Note: version 4 releases require Python 2.3.3 or later. Python 2.3.x can be installed alongside an earlier version if required; see the README file in the latest source tarball, available at http://www.python.org. Once installed, getmail will use whichever version was initially used to run its setup script.