aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--website/fetchmail-SA-2021-01.txt119
-rw-r--r--website/index.html26
-rw-r--r--website/security.html9
3 files changed, 141 insertions, 13 deletions
diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt
new file mode 100644
index 00000000..5f2563be
--- /dev/null
+++ b/website/fetchmail-SA-2021-01.txt
@@ -0,0 +1,119 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+fetchmail-SA-2021-01: DoS or information disclosure logging long messages
+
+Topics: fetchmail denial of service or information disclosure when logging long messages
+
+Author: Matthias Andree
+Version: 1.1
+Announced: 2021-07-28
+Type: missing variable initialization can cause read from bad memory
+ locations
+Impact: fetchmail logs random information, or segfaults and aborts,
+ stalling inbound mail
+Danger: low
+Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany
+ for analysis and report and a patch suggestion
+
+CVE Name: CVE-2021-36386
+URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt
+Project URL: https://www.fetchmail.info/
+
+Affects: - fetchmail releases up to and including 6.4.19
+
+Not affected: - fetchmail releases 6.4.20 and newer
+
+Corrected in: c546c829 Git commit hash
+
+ 2021-07-28 fetchmail 6.4.20 release tarball
+
+
+0. Release history
+==================
+
+2021-07-07 initial report to maintainer
+2021-07-28 1.0 release
+2021-07-28 1.1 update Git commit hash with correction
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail has long had support to assemble log/error messages that are
+generated piecemeal, and takes care to reallocate the output buffer as needed.
+In the reallocation case, i. e. when long log messages are assembled that can
+stem from very long headers, and on systems that have a varargs.h/stdarg.h
+interface (all modern systems), fetchmail's code would fail to reinitialize
+the va_list argument to vsnprintf.
+
+The exact effects depend on the verbose mode (how many -v are given) of
+fetchmail, computer architecture, compiler, operating system and
+configuration. On some systems, the code just works without ill effects, some
+systems log a garbage message (potentially disclosing sensitive information),
+some systems log literally "(null)", some systems trigger SIGSEGV (signal
+#11), which crashes fetchmail, causing a denial of service on fetchmail's end.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.4.20 or newer.
+
+The fetchmail source code is available from
+<https://sourceforge.net/projects/fetchmail/files/>.
+
+Distributors are encouraged to review the NEWS file and move forward to
+6.4.20, rather than backport individual security fixes, because doing so
+routinely misses other fixes crucial to fetchmail's proper operation,
+for which no security announcements are issued, or documentation,
+or translation updates.
+
+Fetchmail 6.4.X releases have been made with a focus on unchanged user and
+program interfaces so as to avoid disruptions when upgrading from 6.3.Z or
+6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface
+incompatibly.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC
+BY-ND 4.0. To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/4.0/
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2021-01
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z
+hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft
+JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7
+55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK
+ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC
+h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9
+8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR
+fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh
+/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc
+aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI
+cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR
+/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE=
+=1rxO
+-----END PGP SIGNATURE-----
diff --git a/website/index.html b/website/index.html
index 8a0a30a7..d4fe8ecf 100644
--- a/website/index.html
+++ b/website/index.html
@@ -15,7 +15,7 @@
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
-<td align="right"><!-- update date -->2021-04-24</td>
+<td align="right"><!-- update date -->2021-08-03</td>
</tr>
</table>
</div>
@@ -43,21 +43,25 @@
<h1>Fetchmail</h1>
<div style="background-color:#c0ffc0;color:#000000;">
- <h1>NEWS: FETCHMAIL 6.4.19 RELEASE</h1>
- <p>On 2021-04-24, <a
- href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail
- 6.4.19 has been released (click this link to download, or to see recent changes).
- </a> Note that you should use OpenSSL 1.1.1 or newer to compile.
- OpenSSL 1.0.2 has been EOL since Late 2019.</p>
- <h1>NEWS: FETCHMAIL 6.5.0-beta3 release</h1>
- <p>On 2021-04-24, <a
+ <h1>NEWS: FETCHMAIL 6.5.0-beta4 release</h1>
+ <p>On 2021-08-03, <a
href="https://sourceforge.net/projects/fetchmail/files/branch_6.5/">fetchmail
- 6.5.0.beta3 has been released (click this link to download, or to see recent changes).</a></p>
+ 6.5.0.beta4 has been released (click this link to download, or to see recent changes).</a>
+ It fixes the security bug CVE-2021-36386 also fixed in 6.4.20.</p>
+ <h1>NEWS: FETCHMAIL 6.4.20 RELEASE</h1>
+ <p>On 2021-07-28, <a
+ href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail
+ 6.4.20 has been released (click this link to download, or to see recent changes).</a>
+ It fixes security bug CVE-2021-36386, see the link under <a href="#security-alerts">SECURITY ALERTS</a> below for details.
+ </p>
+ <p>Note that you should use OpenSSL 1.1.1 or newer to compile.
+ OpenSSL 1.0.2 has been in end-of-life status since Late 2019.</p>
<p>Note also that fetchmail 6.3.x versions are discontinued and no longer
supported (the youngest 6.3.26 was released in 2013).</p>
</div>
-<div style="background-color:#ffe0c0;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1>
+<div style="background-color:#ffe0c0;color:#000000;font-size:85%">
+ <h1 id="security-alerts">SECURITY ALERTS</h1>
<p>These have been moved <a href="security.html">to a separate
page (click here for security information)</a> to unclutter the
front page.
diff --git a/website/security.html b/website/security.html
index 23717b11..98129b07 100644
--- a/website/security.html
+++ b/website/security.html
@@ -14,7 +14,7 @@
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
-<td align="right"><!-- update date -->2012-08-30</td>
+<td align="right"><!-- update date -->2021-07-28</td>
</tr>
</table>
</div>
@@ -41,7 +41,7 @@
issues have become
known to the fetchmail maintainer to the date mentioned above.</p>
- <p>Note that fetchmail 6.2.X and older are no longer supported and contain
+ <p>Note that fetchmail 6.3.X and older are no longer supported and contain
some of the problems mentioned below, even if they aren't mentioned
in the security announcements:</p>
<ul>
@@ -49,6 +49,11 @@
<li><a name="cve-2012-3482"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a>
-->
+ <li><a name="cve-2021-36386"
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a>
+ Fetchmail could <a href="fetchmail-SA-2021-01.txt">log possibly
+ sensitive data or garbage, or crash, when logging information longer
+ than 2 kB, on some systems.</a></li>
<li><a name="cve-2012-3482"
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a>
Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and