aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
...
* Deal with fetchmailconf bug.Eric S. Raymond2000-03-061-1/+2
| | | | svn path=/trunk/; revision=2791
* Implemented support for RFC2177 IDLE command.Eric S. Raymond2000-03-061-0/+3
| | | | svn path=/trunk/; revision=2790
* Ready to ship.Eric S. Raymond2000-03-061-0/+4
| | | | svn path=/trunk/; revision=2788
* Lots of bug resolutions.Eric S. Raymond2000-03-061-5/+12
| | | | svn path=/trunk/; revision=2786
* Deal with the possibility that we might be running as a subprocess.Eric S. Raymond2000-03-051-1/+4
pre { line-height: 125%; } td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } .highlight .hll { background-color: #ffffcc } .highlight .c { color: #888888 } /* Comment */ .highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */ .highlight .k { color: #008800; font-weight: bold } /* Keyword */ .highlight .ch { color: #888888 } /* Comment.Hashbang */ .highlight .cm { color: #888888 } /* Comment.Multiline */ .highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */ .highlight .cpf { color: #888888 } /* Comment.PreprocFile */ .highlight .c1 { color: #888888 } /* Comment.Single */ .highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */ .highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .ges { font-weight: bold; font-style: italic } /* Generic.EmphStrong */ .highlight .gr { color: #aa0000 } /* Generic.Error */ .highlight .gh { color: #333333 } /* Generic.Heading */ .highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */ .highlight .go { color: #888888 } /* Generic.Output */ .highlight .gp { color: #555555 } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #666666 } /* Generic.Subheading */ .highlight .gt { color: #aa0000 } /* Generic.Traceback */ .highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008800 } /* Keyword.Pseudo */ .highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */ .highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */ .highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */ .highlight .na { color: #336699 } /* Name.Attribute */ .highlight .nb { color: #003388 } /* Name.Builtin */ .highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */ .highlight .no { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="stylesheet" href="sitestyle.css" type="text/css">
<meta name="description" content="The Fetchmail Project">
<meta name="keywords" content="fetchmail, pop3, imap, email, mail">
<meta name="MSSmartTagsPreventParsing" content="TRUE">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Fetchmail</title>
</head>
<body>
<div id="Header">
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
<td align="right"><!-- update date -->2012-08-30</td>
</tr>
</table>
</div>

<div id="Menu">
	<hr>
	<a href="index.html" title="Main">Main</a><br>
	<a href="fetchmail-features.html">Features</a><br>
	<a href="fetchmail-man.html">Manual</a><br>
	<a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br>
	<a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br>
	<a href="design-notes.html">Design Notes</a><br>
	<a href="http://sourceforge.net/projects/fetchmail/files/">Download</a><br>
	Security/Errata<br>
	<a href="https://gitlab.com/fetchmail/fetchmail/">Development</a><br>
	<a href="http://sourceforge.net/projects/fetchmail/">Project Page</a><br>
	<hr>
</div>

<div id="Content">

    <h1>Fetchmail Security and Errata Information</h1>
    <p>These security issues (listed immediately below) and critical
    issues have become
    known to the fetchmail maintainer to the date mentioned above.</p>

    <p>Note that fetchmail 6.2.X and older are no longer supported and contain
    some of the problems mentioned below, even if they aren't mentioned
    in the security announcements:</p>
    <ul>
	<!--
	<li><a name="cve-2012-3482"
	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a>
	-->
	<li><a name="cve-2012-3482"
	    href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a>
	Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and
	    possibly reveal fragments of confidential data</a> during
	NTLM authentication.</li>
	<li><a name="cve-2011-3389"
	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389">CVE-2011-3389:</a>
	    <a href="fetchmail-SA-2012-01.txt">Fetchmail was vulnerable
		to chosen-plaintext attacks against cipher block
		chaining initialization vectors because it disabled an
		OpenSSL countermeasure against this attack.</a>
	</li>
	<li><a name="cve-2011-1947"
	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1947">CVE-2011-1947:</a>
	Fetchmail <a href="fetchmail-SA-2011-01.txt"> could hang for
	    indefinite amounts of time during STARTTLS negotiations</a>,
	causing mail fetches to stall. This was a long-standing bug
	fixed in release 6.3.20.</li>
	<li><a name="fetchmail-EN-2010-03">EN-2010-03</a>: Fetchmail <a href="fetchmail-EN-2010-03.txt">fails
	    POP3/IMAP authentication by not performing SASL AUTH
	    properly.</a> This was a long-standing bug fixed in release
	6.3.18.</li>
	<li><a name="cve-2010-1167"
	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1167">CVE-2010-1167:</a>
	Fetchmail <a href="fetchmail-SA-2010-02.txt">could exhaust all
	    available memory and abort on certain computers (for
	    instance Linux) in multibyte locales (for instance UTF-8)
	    when dumping malformed headers in debug (-v -v) mode.</a>
	This bug was introduced long before 6.0.0 and has been fixed in
	release 6.3.17.</li>
	<li><a name="cve-2010-0562"
	    href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li>
	<li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li>
	<li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
	<li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2.  The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
	<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
</ul>

<p style="font-size:100%"><strong>Please <a
	href="http://sourceforge.net/projects/fetchmail/files/">update
	to the newest fetchmail version</a>.</strong></p>
</div>
</body>
</html>