aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2006-02.txt
diff options
context:
space:
mode:
Diffstat (limited to 'fetchmail-SA-2006-02.txt')
-rw-r--r--fetchmail-SA-2006-02.txt90
1 files changed, 90 insertions, 0 deletions
diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt
new file mode 100644
index 00000000..9a8514a0
--- /dev/null
+++ b/fetchmail-SA-2006-02.txt
@@ -0,0 +1,90 @@
+fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure
+
+Topics: fetchmail cannot enforce TLS
+
+Author: Matthias Andree
+Version: 1.0
+Announced: 2006-11-XX
+Type: secret information disclosure
+Impact: fetchmail can expose cleartext password over unsecure link
+ fetchmail may not detect man in the middle attacks
+Danger: medium
+Credits: Isaac Wilcox (bug report, collaboration on fix)
+CVE Name: CVE-2006-5867
+URL: http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
+Project URL: http://fetchmail.berlios.de/
+
+Affects: fetchmail releases <= 6.3.5
+ fetchmail release candidate 6.3.6-rc1
+
+Not affected: fetchmail release candidate 6.3.6-rc2
+ fetchmail release 6.3.6
+
+Corrected: 2006-11-12 fetchmail 6.3.6-rc2
+
+
+0. Release history
+==================
+
+2006-11-12 internal review draft
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail has no configuration facility to enforce TLS connections.
+Configuring --sslproto 'tls1' does not cause connection aborts if TLS is
+not offered or the TLS handshake fails for POP3 or IMAP.
+Even if fetchmail is forced to validate an TLS certificate by means of
+--sslfingerprint or --sslcertck, it may expose cleartext credentials
+over an unencrypted connection.
+
+This can cause eavesdroppers to obtain the password without fetchmail's
+noticing.
+
+
+3. Workaround
+=============
+
+Use fetchmail --ssl --sslcertck --sslproto ssl3 (or equivalent in the
+run control file) if your upstream offers SSLv3-wrapped service on a
+dedicated port.
+
+
+4. Solution
+===========
+
+Download and install fetchmail 6.3.6 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2006 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2006-02.txt