1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication
6 Topics: Authentication incapability in older fetchmail versions
8 Author: Matthias Andree
11 Impact: Denial of service
13 URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt
14 Project URL: http://www.fetchmail.info/
16 Affects: fetchmail up to and including 6.3.17
18 Not affected: fetchmail release 6.3.18 and newer
20 Corrected: 2010-10-09 Git, required commit:
21 cc50a92a07e864c3be6a895f2f7daaa426814d45
22 (note that you need to check out all changes up to this
23 commit, just cherry-picking this will not suffice)
25 2010-10-09 fetchmail 6.3.18 release tarball
31 2010-10-16 1.0 complete
32 2014-05-21 1.1 update BerliOS links
38 This first "fetchmail-EN" is an errata notice, issued to notify
39 fetchmail users and distributors of critical bugs that do not, however,
40 expose the computer running fetchmail to security (privacy, integrity or
41 availability) threats. The numbering is inlined with the fetchmail
42 security advisory numbering for redundancy.
45 fetchmail is a software package to retrieve mail from remote POP2, POP3,
46 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
47 message delivery agents. It supports SSL and TLS security layers through
48 the OpenSSL library, if enabled at compile time and if also enabled at
52 2. Problem description and Impact
53 =================================
55 Fetchmail can be configured at compile time to support various AUTH or
58 Some of the schemes, notably GSSAPI, can fail in the middle of the
59 protocol data exchange. In this case, the client (fetchmail) is
60 supposed to abort the authentication by sending a line with just an
63 However, all fetchmail versions before 6.3.18 have not aborted failing
64 authenticators properly (but just sent an empty line).
66 This caused fetchmail to pick up the authentication error too late and
67 mistake it for an error to a different scheme it tried later on.
69 Notably, GSSAPI-enabled fetchmail was frequently reported to fail
70 authentication against Exchange 2007 or 2010 through Debian bug trackers
71 and the fetchmail mailing lists. This is considered sufficiently grave
72 to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17
73 and all previous releases.
79 Install fetchmail release 6.3.18 or newer.
81 The fetchmail source code is always available from
82 <http://sourceforge.net/projects/fetchmail/files/>.
84 Since the changes are non-trivial, 6.3.18 contains other unrelated
85 important fixes (such as applying timeout to the authentication phase,
86 or mispicking an incompatible libmd5.so), and because only full releases
87 have been tested, no separate patch is made available.
89 For details on what else changed in release 6.3.18, please see the NEWS
90 file shipping with fetchmail 6.3.18, or its online copy at
91 <http://sourceforge.net/projects/fetchmail/files/branch_6.3/>
97 Configure the required authentication scheme explicitly in the rcfile
98 or on the command line. When using TLS or SSL, and --sslcertck is in
99 effect, that might be --auth password on the command line. (In the
100 rcfile, the "--" have to be omitted.)
103 A. Copyright, License and Warranty
104 ==================================
106 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
107 Some rights reserved.
109 This work is licensed under the
110 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
112 To view a copy of this license, visit
113 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
119 MOUNTAIN VIEW, CALIFORNIA 94041
124 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
125 Use the information herein at your own risk.
126 -----BEGIN PGP SIGNATURE-----
127 Version: GnuPG v1.4.11 (GNU/Linux)
129 iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWdAQCfYcPWZiMcEl9H2SXKf80eMktw
130 Wc8AoNt/rtXWGD/FpPvhlBSr95eO6PF1
132 -----END PGP SIGNATURE-----