diff options
-rw-r--r-- | website/fetchmail-SA-2021-01.txt | 119 | ||||
-rw-r--r-- | website/index.html | 26 | ||||
-rw-r--r-- | website/security.html | 9 |
3 files changed, 141 insertions, 13 deletions
diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt new file mode 100644 index 00000000..5f2563be --- /dev/null +++ b/website/fetchmail-SA-2021-01.txt @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +fetchmail-SA-2021-01: DoS or information disclosure logging long messages + +Topics: fetchmail denial of service or information disclosure when logging long messages + +Author: Matthias Andree +Version: 1.1 +Announced: 2021-07-28 +Type: missing variable initialization can cause read from bad memory + locations +Impact: fetchmail logs random information, or segfaults and aborts, + stalling inbound mail +Danger: low +Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany + for analysis and report and a patch suggestion + +CVE Name: CVE-2021-36386 +URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt +Project URL: https://www.fetchmail.info/ + +Affects: - fetchmail releases up to and including 6.4.19 + +Not affected: - fetchmail releases 6.4.20 and newer + +Corrected in: c546c829 Git commit hash + + 2021-07-28 fetchmail 6.4.20 release tarball + + +0. Release history +================== + +2021-07-07 initial report to maintainer +2021-07-28 1.0 release +2021-07-28 1.1 update Git commit hash with correction + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail has long had support to assemble log/error messages that are +generated piecemeal, and takes care to reallocate the output buffer as needed. +In the reallocation case, i. e. when long log messages are assembled that can +stem from very long headers, and on systems that have a varargs.h/stdarg.h +interface (all modern systems), fetchmail's code would fail to reinitialize +the va_list argument to vsnprintf. + +The exact effects depend on the verbose mode (how many -v are given) of +fetchmail, computer architecture, compiler, operating system and +configuration. On some systems, the code just works without ill effects, some +systems log a garbage message (potentially disclosing sensitive information), +some systems log literally "(null)", some systems trigger SIGSEGV (signal +#11), which crashes fetchmail, causing a denial of service on fetchmail's end. + + +3. Solution +=========== + +Install fetchmail 6.4.20 or newer. + +The fetchmail source code is available from +<https://sourceforge.net/projects/fetchmail/files/>. + +Distributors are encouraged to review the NEWS file and move forward to +6.4.20, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued, or documentation, +or translation updates. + +Fetchmail 6.4.X releases have been made with a focus on unchanged user and +program interfaces so as to avoid disruptions when upgrading from 6.3.Z or +6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface +incompatibly. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>. +Some rights reserved. + +fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC +BY-ND 4.0. To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/4.0/ + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2021-01 +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z +hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft +JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7 +55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK +ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC +h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9 +8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR +fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh +/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc +aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI +cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR +/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE= +=1rxO +-----END PGP SIGNATURE----- diff --git a/website/index.html b/website/index.html index 8a0a30a7..d4fe8ecf 100644 --- a/website/index.html +++ b/website/index.html @@ -15,7 +15,7 @@ <table width="100%" cellpadding="0" summary="Canned page header"> <tr> <td>Fetchmail</td> -<td align="right"><!-- update date -->2021-04-24</td> +<td align="right"><!-- update date -->2021-08-03</td> </tr> </table> </div> @@ -43,21 +43,25 @@ <h1>Fetchmail</h1> <div style="background-color:#c0ffc0;color:#000000;"> - <h1>NEWS: FETCHMAIL 6.4.19 RELEASE</h1> - <p>On 2021-04-24, <a - href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail - 6.4.19 has been released (click this link to download, or to see recent changes). - </a> Note that you should use OpenSSL 1.1.1 or newer to compile. - OpenSSL 1.0.2 has been EOL since Late 2019.</p> - <h1>NEWS: FETCHMAIL 6.5.0-beta3 release</h1> - <p>On 2021-04-24, <a + <h1>NEWS: FETCHMAIL 6.5.0-beta4 release</h1> + <p>On 2021-08-03, <a href="https://sourceforge.net/projects/fetchmail/files/branch_6.5/">fetchmail - 6.5.0.beta3 has been released (click this link to download, or to see recent changes).</a></p> + 6.5.0.beta4 has been released (click this link to download, or to see recent changes).</a> + It fixes the security bug CVE-2021-36386 also fixed in 6.4.20.</p> + <h1>NEWS: FETCHMAIL 6.4.20 RELEASE</h1> + <p>On 2021-07-28, <a + href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail + 6.4.20 has been released (click this link to download, or to see recent changes).</a> + It fixes security bug CVE-2021-36386, see the link under <a href="#security-alerts">SECURITY ALERTS</a> below for details. + </p> + <p>Note that you should use OpenSSL 1.1.1 or newer to compile. + OpenSSL 1.0.2 has been in end-of-life status since Late 2019.</p> <p>Note also that fetchmail 6.3.x versions are discontinued and no longer supported (the youngest 6.3.26 was released in 2013).</p> </div> -<div style="background-color:#ffe0c0;color:#000000;font-size:85%"> <h1>SECURITY ALERTS</h1> +<div style="background-color:#ffe0c0;color:#000000;font-size:85%"> + <h1 id="security-alerts">SECURITY ALERTS</h1> <p>These have been moved <a href="security.html">to a separate page (click here for security information)</a> to unclutter the front page. diff --git a/website/security.html b/website/security.html index 23717b11..98129b07 100644 --- a/website/security.html +++ b/website/security.html @@ -14,7 +14,7 @@ <table width="100%" cellpadding="0" summary="Canned page header"> <tr> <td>Fetchmail</td> -<td align="right"><!-- update date -->2012-08-30</td> +<td align="right"><!-- update date -->2021-07-28</td> </tr> </table> </div> @@ -41,7 +41,7 @@ issues have become known to the fetchmail maintainer to the date mentioned above.</p> - <p>Note that fetchmail 6.2.X and older are no longer supported and contain + <p>Note that fetchmail 6.3.X and older are no longer supported and contain some of the problems mentioned below, even if they aren't mentioned in the security announcements:</p> <ul> @@ -49,6 +49,11 @@ <li><a name="cve-2012-3482" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a> --> + <li><a name="cve-2021-36386" + href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a> + Fetchmail could <a href="fetchmail-SA-2021-01.txt">log possibly + sensitive data or garbage, or crash, when logging information longer + than 2 kB, on some systems.</a></li> <li><a name="cve-2012-3482" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a> Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and |