From f6ebe48b0a0cc75838d4b4f78e1af7f7d5cc96b9 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Tue, 3 Aug 2021 17:36:03 +0200 Subject: fetchmail-SA-2021-01.txt: Replace copy by symlink for website, for consistency with other fetchmail security announcements --- website/fetchmail-SA-2021-01.txt | 120 +-------------------------------------- 1 file changed, 1 insertion(+), 119 deletions(-) mode change 100644 => 120000 website/fetchmail-SA-2021-01.txt (limited to 'website') diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt deleted file mode 100644 index 5f2563be..00000000 --- a/website/fetchmail-SA-2021-01.txt +++ /dev/null @@ -1,119 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -fetchmail-SA-2021-01: DoS or information disclosure logging long messages - -Topics: fetchmail denial of service or information disclosure when logging long messages - -Author: Matthias Andree -Version: 1.1 -Announced: 2021-07-28 -Type: missing variable initialization can cause read from bad memory - locations -Impact: fetchmail logs random information, or segfaults and aborts, - stalling inbound mail -Danger: low -Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany - for analysis and report and a patch suggestion - -CVE Name: CVE-2021-36386 -URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt -Project URL: https://www.fetchmail.info/ - -Affects: - fetchmail releases up to and including 6.4.19 - -Not affected: - fetchmail releases 6.4.20 and newer - -Corrected in: c546c829 Git commit hash - - 2021-07-28 fetchmail 6.4.20 release tarball - - -0. Release history -================== - -2021-07-07 initial report to maintainer -2021-07-28 1.0 release -2021-07-28 1.1 update Git commit hash with correction - - -1. Background -============= - -fetchmail is a software package to retrieve mail from remote POP3, IMAP, -ETRN or ODMR servers and forward it to local SMTP, LMTP servers or -message delivery agents. fetchmail supports SSL and TLS security layers -through the OpenSSL library, if enabled at compile time and if also -enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as -well as in-band-negotiated "STARTTLS" and "STLS" modes through the -regular protocol ports. - - -2. Problem description and Impact -================================= - -Fetchmail has long had support to assemble log/error messages that are -generated piecemeal, and takes care to reallocate the output buffer as needed. -In the reallocation case, i. e. when long log messages are assembled that can -stem from very long headers, and on systems that have a varargs.h/stdarg.h -interface (all modern systems), fetchmail's code would fail to reinitialize -the va_list argument to vsnprintf. - -The exact effects depend on the verbose mode (how many -v are given) of -fetchmail, computer architecture, compiler, operating system and -configuration. On some systems, the code just works without ill effects, some -systems log a garbage message (potentially disclosing sensitive information), -some systems log literally "(null)", some systems trigger SIGSEGV (signal -#11), which crashes fetchmail, causing a denial of service on fetchmail's end. - - -3. Solution -=========== - -Install fetchmail 6.4.20 or newer. - -The fetchmail source code is available from -. - -Distributors are encouraged to review the NEWS file and move forward to -6.4.20, rather than backport individual security fixes, because doing so -routinely misses other fixes crucial to fetchmail's proper operation, -for which no security announcements are issued, or documentation, -or translation updates. - -Fetchmail 6.4.X releases have been made with a focus on unchanged user and -program interfaces so as to avoid disruptions when upgrading from 6.3.Z or -6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface -incompatibly. - - -A. Copyright, License and Non-Warranty -====================================== - -(C) Copyright 2021 by Matthias Andree, . -Some rights reserved. - -fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC -BY-ND 4.0. To view a copy of this license, visit -http://creativecommons.org/licenses/by-nd/4.0/ - -THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. -Use the information herein at your own risk. - -END of fetchmail-SA-2021-01 ------BEGIN PGP SIGNATURE----- - -iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z -hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft -JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7 -55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK -ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC -h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9 -8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR -fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh -/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc -aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI -cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR -/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE= -=1rxO ------END PGP SIGNATURE----- diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt new file mode 120000 index 00000000..edf55708 --- /dev/null +++ b/website/fetchmail-SA-2021-01.txt @@ -0,0 +1 @@ +../fetchmail-SA-2021-01.txt \ No newline at end of file -- cgit v1.2.3