Update website for 6.5.0.beta4 release.

author: Matthias Andree <matthias.andree@gmx.de> 2021-08-03 15:35:56 +0200
committer: Matthias Andree <matthias.andree@gmx.de> 2021-08-03 15:35:56 +0200
commit: 13d816baa52d05fad3302607d7b6ccf92c377490 (patch)
tree: bef917490742d137da8e70d84fa8306e69b6dd8d /website
parent: ba6837fcbbf44d4dd31693696710c49287619a76 (diff)
download: fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.tar.gz
fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.tar.bz2
fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.zip
3 files changed, 141 insertions, 13 deletions
diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt
new file mode 100644
index 00000000..5f2563be
--- /dev/null
+++ b/website/fetchmail-SA-2021-01.txt
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+fetchmail-SA-2021-01: DoS or information disclosure logging long messages
+
+Topics:		fetchmail denial of service or information disclosure when logging long messages
+
+Author:		Matthias Andree
+Version:	1.1
+Announced:	2021-07-28
+Type:		missing variable initialization can cause read from bad memory 
+		locations
+Impact:		fetchmail logs random information, or segfaults and aborts, 
+		stalling inbound mail
+Danger:		low
+Acknowledgment:	Christian Herdtweck, Intra2net AG, Tübingen, Germany
+		for analysis and report and a patch suggestion
+
+CVE Name:	CVE-2021-36386
+URL:		https://www.fetchmail.info/fetchmail-SA-2021-01.txt
+Project URL:	https://www.fetchmail.info/
+
+Affects:	- fetchmail releases up to and including 6.4.19
+
+Not affected:	- fetchmail releases 6.4.20 and newer
+
+Corrected in:	c546c829 Git commit hash
+
+		2021-07-28 fetchmail 6.4.20 release tarball
+
+
+0. Release history
+==================
+
+2021-07-07	initial report to maintainer
+2021-07-28 1.0	release
+2021-07-28 1.1	update Git commit hash with correction
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail has long had support to assemble log/error messages that are 
+generated piecemeal, and takes care to reallocate the output buffer as needed.  
+In the reallocation case, i. e. when long log messages are assembled that can 
+stem from very long headers, and on systems that have a varargs.h/stdarg.h 
+interface (all modern systems), fetchmail's code would fail to reinitialize 
+the va_list argument to vsnprintf. 
+
+The exact effects depend on the verbose mode (how many -v are given) of 
+fetchmail, computer architecture, compiler, operating system and 
+configuration.  On some systems, the code just works without ill effects, some 
+systems log a garbage message (potentially disclosing sensitive information), 
+some systems log literally "(null)", some systems trigger SIGSEGV (signal 
+#11), which crashes fetchmail, causing a denial of service on fetchmail's end.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.4.20 or newer.
+
+The fetchmail source code is available from
+<https://sourceforge.net/projects/fetchmail/files/>.
+
+Distributors are encouraged to review the NEWS file and move forward to 
+6.4.20, rather than backport individual security fixes, because doing so 
+routinely misses other fixes crucial to fetchmail's proper operation, 
+for which no security announcements are issued, or documentation,
+or translation updates.
+
+Fetchmail 6.4.X releases have been made with a focus on unchanged user and 
+program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 
+6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface 
+incompatibly.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC 
+BY-ND 4.0. To view a copy of this license, visit 
+http://creativecommons.org/licenses/by-nd/4.0/
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2021-01
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z
+hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft
+JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7
+55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK
+ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC
+h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9
+8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR
+fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh
+/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc
+aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI
+cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR
+/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE=
+=1rxO
+-----END PGP SIGNATURE-----
diff --git a/website/index.html b/website/index.html
index 8a0a30a7..d4fe8ecf 100644
--- a/website/index.html
+++ b/website/index.html
@@ -15,7 +15,7 @@
 <table width="100%" cellpadding="0" summary="Canned page header">
 <tr>
 <td>Fetchmail</td>
-<td align="right"><!-- update date -->2021-04-24</td>
+<td align="right"><!-- update date -->2021-08-03</td>
 </tr>
 </table>
 </div>
@@ -43,21 +43,25 @@
 <h1>Fetchmail</h1>
 
 <div style="background-color:#c0ffc0;color:#000000;">
-    <h1>NEWS: FETCHMAIL 6.4.19 RELEASE</h1>
-    <p>On 2021-04-24, <a 
-    href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail 
-    6.4.19 has been released (click this link to download, or to see recent changes).
-    </a> Note that you should use OpenSSL 1.1.1 or newer to compile.
-    OpenSSL 1.0.2 has been EOL since Late 2019.</p> 
-    <h1>NEWS: FETCHMAIL 6.5.0-beta3 release</h1>
-     <p>On 2021-04-24, <a 
+    <h1>NEWS: FETCHMAIL 6.5.0-beta4 release</h1>
+     <p>On 2021-08-03, <a 
     href="https://sourceforge.net/projects/fetchmail/files/branch_6.5/">fetchmail 
-    6.5.0.beta3 has been released (click this link to download, or to see recent changes).</a></p>
+    6.5.0.beta4 has been released (click this link to download, or to see recent changes).</a>
+     It fixes the security bug CVE-2021-36386 also fixed in 6.4.20.</p>
+    <h1>NEWS: FETCHMAIL 6.4.20 RELEASE</h1>
+    <p>On 2021-07-28, <a 
+    href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail 
+    6.4.20 has been released (click this link to download, or to see recent changes).</a>
+    It fixes security bug CVE-2021-36386, see the link under <a href="#security-alerts">SECURITY ALERTS</a> below for details.
+    </p>
+    <p>Note that you should use OpenSSL 1.1.1 or newer to compile.
+    OpenSSL 1.0.2 has been in end-of-life status since Late 2019.</p> 
     <p>Note also that fetchmail 6.3.x versions are discontinued and no longer 
     supported (the youngest 6.3.26 was released in 2013).</p>
 </div>
 
-<div style="background-color:#ffe0c0;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1>
+<div style="background-color:#ffe0c0;color:#000000;font-size:85%">
+  <h1 id="security-alerts">SECURITY ALERTS</h1>
     <p>These have been moved <a href="security.html">to a separate
 	page (click here for security information)</a> to unclutter the
     front page.
diff --git a/website/security.html b/website/security.html
index 23717b11..98129b07 100644
--- a/website/security.html
+++ b/website/security.html
@@ -14,7 +14,7 @@
 <table width="100%" cellpadding="0" summary="Canned page header">
 <tr>
 <td>Fetchmail</td>
-<td align="right"><!-- update date -->2012-08-30</td>
+<td align="right"><!-- update date -->2021-07-28</td>
 </tr>
 </table>
 </div>
@@ -41,7 +41,7 @@
     issues have become
     known to the fetchmail maintainer to the date mentioned above.</p>
 
-    <p>Note that fetchmail 6.2.X and older are no longer supported and contain
+    <p>Note that fetchmail 6.3.X and older are no longer supported and contain
     some of the problems mentioned below, even if they aren't mentioned
     in the security announcements:</p>
     <ul>
@@ -49,6 +49,11 @@
 	<li><a name="cve-2012-3482"
 	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a>
 	-->
+	<li><a name="cve-2021-36386"
+	    href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a>
+		Fetchmail could <a href="fetchmail-SA-2021-01.txt">log possibly 
+	sensitive data or garbage, or crash, when logging information longer 
+				   than 2 kB, on some systems.</a></li>
 	<li><a name="cve-2012-3482"
 	    href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a>
 	Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and
author	Matthias Andree <matthias.andree@gmx.de>	2021-08-03 15:35:56 +0200
committer	Matthias Andree <matthias.andree@gmx.de>	2021-08-03 15:35:56 +0200
commit	13d816baa52d05fad3302607d7b6ccf92c377490 (patch)
tree	bef917490742d137da8e70d84fa8306e69b6dd8d /website
parent	ba6837fcbbf44d4dd31693696710c49287619a76 (diff)
download	fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.tar.gz fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.tar.bz2 fetchmail-13d816baa52d05fad3302607d7b6ccf92c377490.zip