Add fetchmail-SA-2011-01.txt

3 files changed, 134 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 6b433f61..02f4da76 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -135,6 +135,7 @@ DISTDOCS=	FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \
 		README.packaging README.SSL-SERVER \
 		fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \
 		Mailbox-Names-UTF7.txt Mailbox-Names-UTF7.html \
+		fetchmail-SA-2011-01.txt \
 		fetchmail-EN-2010-03.txt \
 		fetchmail-SA-2010-02.txt \
 		fetchmail-SA-2010-01.txt \
diff --git a/NEWS b/NEWS
index 8d55e7c2..bd4c450d 100644
--- a/NEWS
+++ b/NEWS
@@ -65,6 +65,7 @@ fetchmail-6.3.20 (not yet released, 26005 LoC):
      SSL-wrapped connections were unaffected by this timeout, so users of older
   versions can force ssl-wrapped connections -- if supported by the server --
   with the --ssl command line or ssl rcfile option.
+  See fetchmail-SA-2011-01.txt for further details.
 
 # BUG FIXES
 * IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
diff --git a/fetchmail-SA-2011-01.txt b/fetchmail-SA-2011-01.txt
new file mode 100644
index 00000000..fc627f65
--- /dev/null
+++ b/fetchmail-SA-2011-01.txt
@@ -0,0 +1,132 @@
+fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode
+
+Topics:		Denial of service in STARTTLS protocol phases
+
+Author:		Matthias Andree
+Version:	XXX
+Announced:	XXX
+Type:		Unguarded blocking I/O can cause indefinite application hang
+Impact:		Denial of service
+Danger:		low
+
+CVE Name:	
+CVSSv2:		
+CVSS scores:	
+		This is calculated without Environmental Score.
+URL:		http://www.fetchmail.info/fetchmail-SA-2011-01.txt
+Project URL:	http://www.fetchmail.info/
+
+Affects:	fetchmail releases 5.9.9 up to and including 6.3.19
+
+Not affected:	fetchmail release 6.3.20 and newer
+
+Corrected in:	2011-05-26 Git, among others, see commit
+		7dc67b8cf06f74aa57525279940e180c99701314
+
+		2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)
+
+		pending    fetchmail 6.3.20 release tarball
+
+
+0. Release history
+==================
+
+2011-05-30 0.1	first draft (visible in Git and through oss-security)
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail version 5.9.9 introduced STLS support for POP3, version
+6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
+in-band SSL/TLS negotiation was not guarded by a timeout.
+
+Depending on the operating system defaults as to TCP stream keepalive
+mode, fetchmail hangs in excess of one week after sending STARTTLS were
+observed if the connection failed without notifying the operating
+system, for instance, through network outages or hard server crashes.
+
+A malicious server that does not respond, at the network level, after
+acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
+in this protocol state, and thus render fetchmail unable to complete the
+poll, or proceed to the next server, effecting a denial of service.
+
+SSL-wrapped mode on dedicated ports was unaffected by this problem, so
+can be used as a workaround.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.3.20 or newer after it will have become available.
+(Note that the announcements may be publicly visible quite some time
+before the release is made, particularly for minor bugs.)
+
+The fetchmail source code is always available from
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+Distributors are encouraged to review the NEWS file and move forward to
+6.3.20, rather than backport individual security fixes, because doing so
+routinely misses other fixes crucial to fetchmail's proper operation,
+for which no security announcements are issued.  Several such
+(long-standing) bugs were fixed through recent releases.
+
+Fetchmail 6.3.X releases have always been made with a focus on unchanged
+user and program interfaces so as to avoid disruptions when upgrading
+from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
+interface incompatibly.
+
+There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases!
+
+
+4. Workaround
+=============
+
+A. If supported by the server's configuration, fetchmail can be run in
+ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
+ssl3" option must be configured (possibly replacing sslproto tls1 where
+configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
+the command line (where it applies to all poll configurations).
+   It is generally advisable to use --sslcertck to enable SSL
+certificate validation.
+
+B. If the operating system supports setting all TCP sockets to keepalive
+mode by default, and possibly lowering the delay until keepalive probes
+start, enabling this configuration can protect against hangs through
+silently broken connections, but not against a malicious server.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+
+Creative Commons
+171 Second Street
+Suite 300
+SAN FRANCISCO, CALIFORNIA 94105
+USA
+
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2011-01