From 53f8f7ebbe57de54df9c4efbcabef2681c4c17a7 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 6 Apr 2012 23:20:34 +0200 Subject: Add fetchmail-SA-2012-01.txt. --- fetchmail-SA-2012-01.txt | 111 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 fetchmail-SA-2012-01.txt (limited to 'fetchmail-SA-2012-01.txt') diff --git a/fetchmail-SA-2012-01.txt b/fetchmail-SA-2012-01.txt new file mode 100644 index 00000000..2ab89fbe --- /dev/null +++ b/fetchmail-SA-2012-01.txt @@ -0,0 +1,111 @@ +fetchmail-SA-2012-01: Denial of service possible in STARTTLS mode + +Topics: fetchmail denial of service in STARTTLS protocol phases + +Author: Matthias Andree +Version: draft +Announced: 2012-04-06 +Type: information disclosure under active attack +Impact: chosen plaintext attack theoretically possible +Danger: low +Acknowledgment: Apple product security + +CVE Name: CVE-2011-3389 +URL: http://www.fetchmail.info/fetchmail-SA-2012-01.txt +Project URL: http://www.fetchmail.info/ + +Affects: - fetchmail releases 6.3.9 up to and including 6.3.21 + + - Any fetchmail release when using OpenSSL versions + before 0.9.6i, or 0.9.7 + +Not affected: - fetchmail releases 5.1.3 up to and including 6.3.8 + but only when using sufficiently new OpenSSL releases + - fetchmail releases 6.3.22 and newer + but only when using sufficiently new OpenSSL releases + + Where "sufficiently new" means 0.9.6i or newer, + or 0.9.7a or newer, or higher numerical versions + such as 0.9.8, 1.0.0 (any letters) + +Corrected in: 2012-04-06 Git, among others, see commit + 4af941d4a4318ba3149316aaa7ffaf24bb959e93 + + 2012-04-06 fetchmail 6.3.22 release tarball + + +0. Release history +================== + +2012-04-06 1.0 release + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP3, IMAP, +ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. fetchmail supports SSL and TLS security layers +through the OpenSSL library, if enabled at compile time and if also +enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as +well as in-band-negotiated "STARTTLS" and "STLS" modes through the +regular protocol ports. + + +2. Problem description and Impact +================================= + +Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which +contains a switch to disable a countermeasure against certain attacks +against block ciphers that permit guessing the initialization vectors, +providing that an attacker can make the application (fetchmail) encrypt +some data for him -- which is not easily the case. + +Stream ciphers (such as RC4) are unaffected. + +While the /practical/ impact of disabling this countermeasure is unclear +at the moment, as a safety precation, the countermeasure is reenabled by +default in fetchmail versions 6.3.22 and newer. + +For technical details on the attack and countermeasure and affected +OpenSSL versions, please see . + + +3. Solution +=========== + +Install fetchmail 6.3.22 or newer. + +The fetchmail source code is always available from +. + +Distributors are encouraged to review the NEWS file and move forward to +6.3.22, rather than backport individual security fixes, because doing so +routinely misses other fixes crucial to fetchmail's proper operation, +for which no security announcements are issued, or documentation. + +Fetchmail 6.3.X releases have always been made with a focus on unchanged +user and program interfaces so as to avoid disruptions when upgrading +from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the +interface incompatibly. + + +A. Copyright, License and Non-Warranty +====================================== + +(C) Copyright 2012 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons Attribution-NoDerivs +3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: +Creative Commons, 444 Castro Street, Suite 900, +Mountain View, California, 94041, USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END of fetchmail-SA-2012-01 -- cgit v1.2.3