X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2006-02.txt;h=199489478d0c3e5569f4ab29151fb0812cda683f;hb=24ab4a608c8ee1613698a1a312a7b30d138a241e;hp=1704512f6cde34d8752fc80aee7b026afc7e0e99;hpb=fb1adf19fff231ee8f55c15cf7866ca5319043db;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt index 1704512f..19948947 100644 --- a/fetchmail-SA-2006-02.txt +++ b/fetchmail-SA-2006-02.txt @@ -1,10 +1,13 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure Topics: fetchmail cannot enforce TLS Author: Matthias Andree -Version: XXX -Announced: 2006-11-XX +Version: 1.1 +Announced: 2007-01-04 Type: secret information disclosure Impact: fetchmail can expose cleartext password over unsecure link fetchmail may not detect man in the middle attacks @@ -17,8 +20,9 @@ Project URL: http://fetchmail.berlios.de/ Affects: fetchmail releases <= 6.3.5 fetchmail release candidates 6.3.6-rc1, -rc2, -rc3 -Not affected: fetchmail release candidate 6.3.6-rc4 +Not affected: fetchmail release candidates 6.3.6-rc4, -rc5 fetchmail release 6.3.6 + fetchmail release 6.3.7 Corrected: 2006-11-26 fetchmail 6.3.6-rc4 @@ -29,6 +33,8 @@ Corrected: 2006-11-26 fetchmail 6.3.6-rc4 2006-11-16 v0.01 internal review draft 2006-11-26 v0.02 revise failure cases, workaround, add acknowledgments 2006-11-27 v0.03 add more vulnerabilities +2007-01-04 v1.0 ready for release +2007-02-18 v1.1 mention 6.3.7 that fixes two regressions 1. Background @@ -60,7 +66,8 @@ V3. POP3 fetches could completely ignore all TLS options whether available or not because it didn't reliably issue CAPA before checking for STLS support - but CAPA is a requisite for STLS. Whether or not CAPAbilities were probed, depended on the "auth" - option. + option. (Fetchmail only tried CAPA if the auth option was not set at + all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.) V4. POP3 could fall back to using plain text passwords, even if strong authentication had been configured. @@ -85,7 +92,13 @@ or equivalent in the run control file. This encrypts the whole session. 4. Solution =========== -Download and install fetchmail 6.3.6 or a newer stable release from + The earlier recommendation to install 6.3.6 is hereby updated, since + version 6.3.6 introduced two new regressions fixed in 6.3.7: one broke + KPOP altogether and one broke the automatic POP3 retries without TLS + if a server advertised TLS but then closed the connection and TLS + wasn't enforced. + +Download and install fetchmail 6.3.7 or a newer stable release from fetchmail's project site at . @@ -100,16 +113,32 @@ them right. A. Copyright, License and Warranty ================================== -(C) Copyright 2006 by Matthias Andree, . +(C) Copyright 2007 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2006-02.txt + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVAlACglBU+3L80GdwXRplGD0jLEPYp +C8QAoJHEGU8xtgurUjt/mYiwz8u85vYY +=Io6N +-----END PGP SIGNATURE-----