Binary package hint: fetchmail
This is a draft of an upstream security announcement for fetchmail that also affects all versions ever shipped by Ubuntu, to be publicly released once the CVE name has been assigned (it is not yet, and has been requested via oss-security@).
Fixing this for Lucid should be highest priority, even before fixing shipping/supported releases such as Karmic.
http://gitorious.org/fetchmail/fetchmail/blobs/raw/master/fetchmail-SA-2010-02.txt (attached).
NOTE: The patch from the SA WILL NOT YIELD a working fetchmail copy in Ubuntu, because the base fetchmail version is older than 6.3.14.
This is also a showcase for the issue described in https://bugs.launchpad.net/ubuntu/+source/fetchmail/+bug/557467 that upgrading outdated packages will become ever harder over time.
The information is public already, no need to keep the Ubuntu copy private.