From 13d816baa52d05fad3302607d7b6ccf92c377490 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 3 Aug 2021 15:35:56 +0200 Subject: Update website for 6.5.0.beta4 release. --- website/fetchmail-SA-2021-01.txt | 119 +++++++++++++++++++++++++++++++++++++++ website/index.html | 26 +++++---- website/security.html | 9 ++- 3 files changed, 141 insertions(+), 13 deletions(-) create mode 100644 website/fetchmail-SA-2021-01.txt diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt new file mode 100644 index 00000000..5f2563be --- /dev/null +++ b/website/fetchmail-SA-2021-01.txt @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +fetchmail-SA-2021-01: DoS or information disclosure logging long messages + +Topics: fetchmail denial of service or information disclosure when logging long messages + +Author: Matthias Andree +Version: 1.1 +Announced: 2021-07-28 +Type: missing variable initialization can cause read from bad memory + locations +Impact: fetchmail logs random information, or segfaults and aborts, + stalling inbound mail +Danger: low +Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany + for analysis and report and a patch suggestion + +CVE Name: CVE-2021-36386 +URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt +Project URL: https://www.fetchmail.info/ + +Affects: - fetchmail releases up to and including 6.4.19 + +Not affected: - fetchmail releases 6.4.20 and newer + +Corrected in: c546c829 Git commit hash + + 2021-07-28 fetchmail 6.4.20 release tarball + + +0. Release history +================== + +2021-07-07 initial report to maintainer +2021-07-28 1.0 release +2021-07-28 1.1 update Git commit hash with correction + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail has long had support to assemble log/error messages that are +generated piecemeal, and takes care to reallocate the output buffer as needed. +In the reallocation case, i. e. when long log messages are assembled that can +stem from very long headers, and on systems that have a varargs.h/stdarg.h +interface (all modern systems), fetchmail's code would fail to reinitialize +the va_list argument to vsnprintf. + +The exact effects depend on the verbose mode (how many -v are given) of +fetchmail, computer architecture, compiler, operating system and +configuration. On some systems, the code just works without ill effects, some +systems log a garbage message (potentially disclosing sensitive information), +some systems log literally "(null)", some systems trigger SIGSEGV (signal +#11), which crashes fetchmail, causing a denial of service on fetchmail's end. + + +3. Solution +=========== + +Install fetchmail 6.4.20 or newer. + +The fetchmail source code is available from +. + +Distributors are encouraged to review the NEWS file and move forward to +6.4.20, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued, or documentation, +or translation updates. + +Fetchmail 6.4.X releases have been made with a focus on unchanged user and +program interfaces so as to avoid disruptions when upgrading from 6.3.Z or +6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface +incompatibly. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2021 by Matthias Andree, . +Some rights reserved. + +fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC +BY-ND 4.0. To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/4.0/ + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2021-01 +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z +hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft +JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7 +55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK +ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC +h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9 +8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR +fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh +/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc +aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI +cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR +/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE= +=1rxO +-----END PGP SIGNATURE----- diff --git a/website/index.html b/website/index.html index 8a0a30a7..d4fe8ecf 100644 --- a/website/index.html +++ b/website/index.html @@ -15,7 +15,7 @@ - +
Fetchmail2021-04-242021-08-03
@@ -43,21 +43,25 @@

Fetchmail

-

NEWS: FETCHMAIL 6.4.19 RELEASE

-

On 2021-04-24, fetchmail - 6.4.19 has been released (click this link to download, or to see recent changes). - Note that you should use OpenSSL 1.1.1 or newer to compile. - OpenSSL 1.0.2 has been EOL since Late 2019.

-

NEWS: FETCHMAIL 6.5.0-beta3 release

-

On 2021-04-24, NEWS: FETCHMAIL 6.5.0-beta4 release +

On 2021-08-03, fetchmail - 6.5.0.beta3 has been released (click this link to download, or to see recent changes).

+ 6.5.0.beta4 has been released (click this link to download, or to see recent changes). + It fixes the security bug CVE-2021-36386 also fixed in 6.4.20.

+

NEWS: FETCHMAIL 6.4.20 RELEASE

+

On 2021-07-28, fetchmail + 6.4.20 has been released (click this link to download, or to see recent changes). + It fixes security bug CVE-2021-36386, see the link under SECURITY ALERTS below for details. +

+

Note that you should use OpenSSL 1.1.1 or newer to compile. + OpenSSL 1.0.2 has been in end-of-life status since Late 2019.

Note also that fetchmail 6.3.x versions are discontinued and no longer supported (the youngest 6.3.26 was released in 2013).

-

SECURITY ALERTS

+
+

SECURITY ALERTS

These have been moved to a separate page (click here for security information) to unclutter the front page. diff --git a/website/security.html b/website/security.html index 23717b11..98129b07 100644 --- a/website/security.html +++ b/website/security.html @@ -14,7 +14,7 @@ - +
Fetchmail2012-08-302021-07-28

@@ -41,7 +41,7 @@ issues have become known to the fetchmail maintainer to the date mentioned above.

-

Note that fetchmail 6.2.X and older are no longer supported and contain +

Note that fetchmail 6.3.X and older are no longer supported and contain some of the problems mentioned below, even if they aren't mentioned in the security announcements: