diff options
Diffstat (limited to 'fetchmail-EN-2010-03.txt')
| -rw-r--r-- | fetchmail-EN-2010-03.txt | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/fetchmail-EN-2010-03.txt b/fetchmail-EN-2010-03.txt new file mode 100644 index 00000000..a409c8a4 --- /dev/null +++ b/fetchmail-EN-2010-03.txt @@ -0,0 +1,128 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication + +Topics: Authentication incapability in older fetchmail versions + +Author: Matthias Andree +Version: 1.0 +Announced: 2010-10-16 +Impact: Denial of service + +URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt +Project URL: http://www.fetchmail.info/ + +Affects: fetchmail up to and including 6.3.17 + +Not affected: fetchmail release 6.3.18 and newer + +Corrected: 2010-10-09 Git, required commit: + cc50a92a07e864c3be6a895f2f7daaa426814d45 + (note that you need to check out all changes up to this + commit, just cherry-picking this will not suffice) + + 2010-10-09 fetchmail 6.3.18 release tarball + + +0. Release history +================== + +2010-10-16 1.0 complete + + +1. Background +============= + +This first "fetchmail-EN" is an errata notice, issued to notify +fetchmail users and distributors of critical bugs that do not, however, +expose the computer running fetchmail to security (privacy, integrity or +availability) threats. The numbering is inlined with the fetchmail +security advisory numbering for redundancy. + + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. It supports SSL and TLS security layers through +the OpenSSL library, if enabled at compile time and if also enabled at +run time. + + +2. Problem description and Impact +================================= + +Fetchmail can be configured at compile time to support various AUTH or +SASL schemes. + +Some of the schemes, notably GSSAPI, can fail in the middle of the +protocol data exchange. In this case, the client (fetchmail) is +supposed to abort the authentication by sending a line with just an +asterisk "*". + +However, all fetchmail versions before 6.3.18 have not aborted failing +authenticators properly (but just sent an empty line). + +This caused fetchmail to pick up the authentication error too late and +mistake it for an error to a different scheme it tried later on. + +Notably, GSSAPI-enabled fetchmail was frequently reported to fail +authentication against Exchange 2007 or 2010 through Debian bug trackers +and the fetchmail mailing lists. This is considered sufficiently grave +to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17 +and all previous releases. + + +3. Solution +=========== + +Install fetchmail release 6.3.18 or newer. + +The fetchmail source code is always available from +<http://developer.berlios.de/project/showfiles.php?group_id=1824>. + +Since the changes are non-trivial, 6.3.18 contains other unrelated +important fixes (such as applying timeout to the authentication phase, +or mispicking an incompatible libmd5.so), and because only full releases +have been tested, no separate patch is made available. + +For details on what else changed in release 6.3.18, please see the NEWS +file shipping with fetchmail 6.3.18, or its online copy at +<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>. + + +4. Workaround +============= + +Configure the required authentication scheme explicitly in the rcfile +or on the command line. When using TLS or SSL, and --sslcertck is in +effect, that might be --auth password on the command line. (In the +rcfile, the "--" have to be omitted.) + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>. +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-Noncommercial-No Derivative Works 3.0 Germany License. +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to + +Creative Commons +171 Second Street +Suite 300 +SAN FRANCISCO, CALIFORNIA 94105 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.15 (GNU/Linux) + +iEYEARECAAYFAky5ZbwACgkQvmGDOQUufZUxtACg6+ZeL9nFx8+wBrBE4u5B8Bz1 +zYsAn2THGpJx72t9tjPRYFBY9PJggj6G +=QqR7 +-----END PGP SIGNATURE----- |