From 23e90c690e8807f4bdb9d797e626fb32b013c34d Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 30 May 2011 12:09:20 +0200 Subject: Add fetchmail-SA-2011-01.txt --- Makefile.am | 1 + NEWS | 1 + fetchmail-SA-2011-01.txt | 132 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 134 insertions(+) create mode 100644 fetchmail-SA-2011-01.txt diff --git a/Makefile.am b/Makefile.am index 6b433f61..02f4da76 100644 --- a/Makefile.am +++ b/Makefile.am @@ -135,6 +135,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ README.packaging README.SSL-SERVER \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ Mailbox-Names-UTF7.txt Mailbox-Names-UTF7.html \ + fetchmail-SA-2011-01.txt \ fetchmail-EN-2010-03.txt \ fetchmail-SA-2010-02.txt \ fetchmail-SA-2010-01.txt \ diff --git a/NEWS b/NEWS index 8d55e7c2..bd4c450d 100644 --- a/NEWS +++ b/NEWS @@ -65,6 +65,7 @@ fetchmail-6.3.20 (not yet released, 26005 LoC): SSL-wrapped connections were unaffected by this timeout, so users of older versions can force ssl-wrapped connections -- if supported by the server -- with the --ssl command line or ssl rcfile option. + See fetchmail-SA-2011-01.txt for further details. # BUG FIXES * IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few diff --git a/fetchmail-SA-2011-01.txt b/fetchmail-SA-2011-01.txt new file mode 100644 index 00000000..fc627f65 --- /dev/null +++ b/fetchmail-SA-2011-01.txt @@ -0,0 +1,132 @@ +fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode + +Topics: Denial of service in STARTTLS protocol phases + +Author: Matthias Andree +Version: XXX +Announced: XXX +Type: Unguarded blocking I/O can cause indefinite application hang +Impact: Denial of service +Danger: low + +CVE Name: +CVSSv2: +CVSS scores: + This is calculated without Environmental Score. +URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt +Project URL: http://www.fetchmail.info/ + +Affects: fetchmail releases 5.9.9 up to and including 6.3.19 + +Not affected: fetchmail release 6.3.20 and newer + +Corrected in: 2011-05-26 Git, among others, see commit + 7dc67b8cf06f74aa57525279940e180c99701314 + + 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing) + + pending fetchmail 6.3.20 release tarball + + +0. Release history +================== + +2011-05-30 0.1 first draft (visible in Git and through oss-security) + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail version 5.9.9 introduced STLS support for POP3, version +6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated +in-band SSL/TLS negotiation was not guarded by a timeout. + +Depending on the operating system defaults as to TCP stream keepalive +mode, fetchmail hangs in excess of one week after sending STARTTLS were +observed if the connection failed without notifying the operating +system, for instance, through network outages or hard server crashes. + +A malicious server that does not respond, at the network level, after +acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail +in this protocol state, and thus render fetchmail unable to complete the +poll, or proceed to the next server, effecting a denial of service. + +SSL-wrapped mode on dedicated ports was unaffected by this problem, so +can be used as a workaround. + + +3. Solution +=========== + +Install fetchmail 6.3.20 or newer after it will have become available. +(Note that the announcements may be publicly visible quite some time +before the release is made, particularly for minor bugs.) + +The fetchmail source code is always available from +. + +Distributors are encouraged to review the NEWS file and move forward to +6.3.20, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued. Several such +(long-standing) bugs were fixed through recent releases. + +Fetchmail 6.3.X releases have always been made with a focus on unchanged +user and program interfaces so as to avoid disruptions when upgrading +from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the +interface incompatibly. + +There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases! + + +4. Workaround +============= + +A. If supported by the server's configuration, fetchmail can be run in +ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto +ssl3" option must be configured (possibly replacing sslproto tls1 where +configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on +the command line (where it applies to all poll configurations). + It is generally advisable to use --sslcertck to enable SSL +certificate validation. + +B. If the operating system supports setting all TCP sockets to keepalive +mode by default, and possibly lowering the delay until keepalive probes +start, enabling this configuration can protect against hangs through +silently broken connections, but not against a malicious server. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2011 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-Noncommercial-No Derivative Works 3.0 Germany License. +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to + +Creative Commons +171 Second Street +Suite 300 +SAN FRANCISCO, CALIFORNIA 94105 +USA + + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2011-01 -- cgit v1.2.3