1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication
Topics: Authentication incapability in older fetchmail versions
Author: Matthias Andree
Version: 1.0
Announced: 2010-10-16
Impact: Denial of service
URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt
Project URL: http://www.fetchmail.info/
Affects: fetchmail up to and including 6.3.17
Not affected: fetchmail release 6.3.18 and newer
Corrected: 2010-10-09 Git, required commit:
cc50a92a07e864c3be6a895f2f7daaa426814d45
(note that you need to check out all changes up to this
commit, just cherry-picking this will not suffice)
2010-10-09 fetchmail 6.3.18 release tarball
0. Release history
==================
2010-10-16 1.0 complete
1. Background
=============
This first "fetchmail-EN" is an errata notice, issued to notify
fetchmail users and distributors of critical bugs that do not, however,
expose the computer running fetchmail to security (privacy, integrity or
availability) threats. The numbering is inlined with the fetchmail
security advisory numbering for redundancy.
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.
2. Problem description and Impact
=================================
Fetchmail can be configured at compile time to support various AUTH or
SASL schemes.
Some of the schemes, notably GSSAPI, can fail in the middle of the
protocol data exchange. In this case, the client (fetchmail) is
supposed to abort the authentication by sending a line with just an
asterisk "*".
However, all fetchmail versions before 6.3.18 have not aborted failing
authenticators properly (but just sent an empty line).
This caused fetchmail to pick up the authentication error too late and
mistake it for an error to a different scheme it tried later on.
Notably, GSSAPI-enabled fetchmail was frequently reported to fail
authentication against Exchange 2007 or 2010 through Debian bug trackers
and the fetchmail mailing lists. This is considered sufficiently grave
to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17
and all previous releases.
3. Solution
===========
Install fetchmail release 6.3.18 or newer.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
Since the changes are non-trivial, 6.3.18 contains other unrelated
important fixes (such as applying timeout to the authentication phase,
or mispicking an incompatible libmd5.so), and because only full releases
have been tested, no separate patch is made available.
For details on what else changed in release 6.3.18, please see the NEWS
file shipping with fetchmail 6.3.18, or its online copy at
<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>.
4. Workaround
=============
Configure the required authentication scheme explicitly in the rcfile
or on the command line. When using TLS or SSL, and --sslcertck is in
effect, that might be --auth password on the command line. (In the
rcfile, the "--" have to be omitted.)
A. Copyright, License and Warranty
==================================
(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:
Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk9/YgsACgkQvmGDOQUufZWwQwCgvBxomOVufQuUh96nEq95Mnz4
5m8AoKkBIERmVh9MzN4aJBKbqRQX+2Hq
=GwOi
-----END PGP SIGNATURE-----
|
