-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 fetchmail-SA-2005-03: security announcement Topics: #1 crash retrieving headerless message in multidrop mode #2 fetchmail 6.2.5.X end of life Author: Matthias Andree Version: 1.00 Announced: 2005-12-19 Type: null pointer dereference Impact: fetchmail crashes Danger: low Credits: Daniel Drake, Gentoo (bug report) Sunil Shetye (bug fix) CVE Name: CVE-2005-4348 URL: http://fetchmail.sourceforge.net/fetchmail-SA-2005-03.txt http://article.gmane.org/gmane.mail.fetchmail.user/7573 http://bugs.debian.org/343836 Project URL: http://fetchmail.sourceforge.net/ Affects: fetchmail version 6.2.5.4 fetchmail version 6.3.0 Not affected: fetchmail 6.3.1 fetchmail 6.2.5.5 other versions not mentioned here or in the previous sections have not been checked Corrected: 2005-12-19 - released fetchmail 6.3.1 2005-12-18 - released fetchmail 6.3.1-rc1 2005-12-19 - released fetchmail 6.2.5.5 0. Release history ================== 2005-12-19 1.00 - initial version 1. Background ============= fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named "fetchmailconf" to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact ================================= Fetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as "previously fetched", it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients. Note that such messages are not RFC-822 conformant, so if the server has not been tampered with, the server software is faulty. 3. Workaround ============= Where possible, singledrop mode may be an alternative. For sites, where multidrop mode is required, no workaround is known. 4. Solution =========== Download and install fetchmail 6.3.1 or a newer stable release from fetchmail's project site at . The fix has also been backported to the 6.2.5.5 legacy release which is available from the same site. Note however that 6.3.X has very few incompatible changes since 6.2.5.X so 6.3.X should be viable for most sites. It is therefore recommended that every user and distributor upgrade to 6.3.1 or newer. 5. End of life announcement =========================== The fetchmail 6.2.5.X branch will be discontinued early in 2006. The new 6.3.X stable branch has been available since 2005-11-30 and will not change except for bugfixes, documentation and translations. A. Copyright, License and Warranty ================================== (C) Copyright 2005 by Matthias Andree, . Some rights reserved. This work is licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-03.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZVR6wCePBum0D/6j2Mmzc9eDttcckfu 100AoJoy6OdYYvUDCfEjjog+aAo72NXI =L83l -----END PGP SIGNATURE-----