Sign .xz; upload to sf.net; upload .xz to local site.

[~andy/fetchmail] / fetchmail-SA-2009-01.txt
diff --git a/fetchmail-SA-2009-01.txt b/fetchmail-SA-2009-01.txt

index 93622c990ef53f5270531abac4a5201387fb07cb..eb50a9e822d9ba9e84b3367936f331704bbbfc7c 100644 (file)
--- a/fetchmail-SA-2009-01.txt
+++ b/fetchmail-SA-2009-01.txt
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
  fetchmail-SA-2009-01: Improper SSL certificate subject verification
  
  Topics:                Improper SSL certificate subject verification
  fetchmail-SA-2009-01: Improper SSL certificate subject verification
  
  Topics:                Improper SSL certificate subject verification
@@ -50,13 +53,26 @@ run time.
  
  Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
  certificates that contain embedded NUL characters in the Common Name or
  
  Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
  certificates that contain embedded NUL characters in the Common Name or
-subjectAltName fields of ITU-T X.509 certificates. Applications what
-would treat such strings in X.509 as NUL-terminated C strings (rather
-than strings that contain an explicit length field) would only
-check the part up to and excluding the NUL character, so that
+subjectAltName fields of ITU-T X.509 certificates.
+
+Applications that would treat such X.509 strings as NUL-terminated C
+strings (rather than strings that contain an explicit length field)
+would only check the part up to and excluding the NUL character, so that
  certificate names such as www.good.example\0www.bad.example.com would be
  certificate names such as www.good.example\0www.bad.example.com would be
-mistaken as a certificate name for www.good.example. The CA however
-would usually sign example.com and not care about the subdomain.
+mistaken as a certificate name for www.good.example.  fetchmail also had
+this design and implementation flaw.
+
+Note that fetchmail should always be forced to use strict certificate
+validation through either of these option combinations:
+
+    --sslcertck --ssl --sslproto ssl3    (for service on SSL-wrapped ports)
+or
+    --sslcertck --sslproto tls1          (for STARTTLS-based services)
+
+(These are for the command line, in the rcfile, you will need to omit
+the respective leading --).
+
+The default is relaxed checking for compatibility with historic versions.
  
  
  3. Solution
  
  
  3. Solution
@@ -86,15 +102,17 @@ A. Copyright, License and Warranty
  (C) Copyright 2009 by Matthias Andree, <matthias.andree@gmx.de>.
  Some rights reserved.
  
  (C) Copyright 2009 by Matthias Andree, <matthias.andree@gmx.de>.
  Some rights reserved.
  
-This work is licensed under the Creative Commons
-Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
  To view a copy of this license, visit
  To view a copy of this license, visit
-http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
  
  Creative Commons
  
  Creative Commons
-171 Second Street
-Suite 300
-SAN FRANCISCO, CALIFORNIA 94105
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
  USA
  
  
  USA
  
  
@@ -116,7 +134,7 @@ so try this if the patch does not apply.
  
  Index: socket.c
  ===================================================================
  
  Index: socket.c
  ===================================================================
---- ./socket.c~
+- --- ./socket.c~
  +++ ./socket.c
  @@ -632,6 +632,12 @@
                                 report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
  +++ ./socket.c
  @@ -632,6 +632,12 @@
                                 report(stderr, GT_("Bad certificate: Subject CommonName too long!\n"));
@@ -135,9 +153,9 @@ Index: socket.c
                                  * first find a match among alternative names */
                                 gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
                                 if (gens) {
                                  * first find a match among alternative names */
                                 gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
                                 if (gens) {
--                                      int i, r;
--                                      for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
--                                              const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+- -                                    int i, r;
+- -                                    for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+- -                                            const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
  +                                      int j, r;
  +                                      for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
  +                                              const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
  +                                      int j, r;
  +                                      for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
  +                                              const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
@@ -155,3 +173,10 @@ Index: socket.c
                                                                 report(stderr, "Subject Alternative Name: %s\n", p1);
  
  END OF fetchmail-SA-2009-01.txt
                                                                 report(stderr, "Subject Alternative Name: %s\n", p1);
  
  END OF fetchmail-SA-2009-01.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZUQ7ACgheMkM4k7NLg6cz8ys3jk9C/P
+uxgAnRzc38wIDR+8Pio9CmDLheOcuskK
+=OYqf
+-----END PGP SIGNATURE-----