From 67e83dd1930726f316e19aef8f45efc9dc4feda3 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Fri, 6 Apr 2007 18:10:51 +0000
Subject: [PATCH] Add fetchmail-SA-2007-01.txt. Add publication date of Gaetan
 Leurent's CVE-2007-1558.

svn path=/branches/BRANCH_6-3/; revision=5085
---
 Makefile.am              |  1 +
 NEWS                     |  3 +-
 fetchmail-SA-2007-01.txt | 89 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 fetchmail-SA-2007-01.txt

diff --git a/Makefile.am b/Makefile.am
index 3757544d..423450da 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -129,6 +129,7 @@ DISTDOCS=	FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \
 		fetchmail-features.html README.SSL README.NTLM \
 		README.packaging \
 		fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \
+		fetchmail-SA-2007-01.txt \
 		fetchmail-SA-2006-03.txt \
 		fetchmail-SA-2006-02.txt \
 		fetchmail-SA-2006-01.txt \
diff --git a/NEWS b/NEWS
index 11663219..82e6992f 100644
--- a/NEWS
+++ b/NEWS
@@ -48,7 +48,7 @@ fetchmail 6.3.8 (not yet released):
 * Make the APOP challenge parser more distrustful and have it reject challenges
   that do not conform to RFC-822 msg-id format, in the hope to make mounting
   man-in-the-middle attacks (MITM) against APOP a bit more difficult.
-  (CVE-2007-1558)
+  (CVE-2007-1558, reported by GaÃ«tan Leurent, published 2007-04-02 on Bugtraq)
 
   APOP is claimed insecure by GaÃ«tan Leurent for MITM scenarios for typical
   setups: based on MD5 collisions, it is purportedly possible to recover the
@@ -82,6 +82,7 @@ fetchmail 6.3.8 (not yet released):
   excellent detail by Reto SchÃ¼ttel, Debian Bug#416812.
 
 # DOCUMENTATION:
+* Add fetchmail-SA-2007-01.txt
 * Extend --mda documentation, discourage use of qmail-inject.
   Based on a patch by Rob MacGregor.
 * Document SOCKS configuration facility (SOCKS_CONF environment variable).
diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt
new file mode 100644
index 00000000..7c224f93
--- /dev/null
+++ b/fetchmail-SA-2007-01.txt
@@ -0,0 +1,89 @@
+fetchmail-SA-2007-01: APOP considered insecure
+
+Topics:		The POP3/APOP authentication, by itself, is considered broken.
+
+Author:		Matthias Andree
+Version:	1.0
+Announced:	2007-04-06
+Type:		password theft when under MITM attack
+Impact:		password disclosure possible
+Danger:		low
+Credits:	GaÃ«tan Leurent
+CVE Name:	CVE-2007-1558
+URL:		http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
+Project URL:	http://fetchmail.berlios.de/
+
+Affects:	fetchmail release < 6.3.8
+
+Not affected:	fetchmail release 6.3.8
+
+Corrected:	2007-03-18 fetchmail SVN
+
+
+0. Release history
+==================
+
+2007-04-06 1.0	first release
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+The POP3 standard, currently RFC-1939, has specified an optional,
+MD5-based authentication scheme called "APOP".
+
+Fetchmail's POP3 client implementation however has happily accepted
+random garbage as a POP3 server's APOP challenge, rather than insisting
+that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+This made it easier than necessary for man-in-the-middle attackers to
+retrieve by several probing and guessing the first three characters of
+the APOP secret, bringing brute forcing the remaining characters well
+within reach.
+
+
+3. Solution
+===========
+
+Either of these is currently considered sufficient.
+
+A. Only use APOP on SSL or TLS secured connections with mandatory and thorough
+   certificate validation, such as fetchmail --sslproto tls1 --sslcertck
+   or --sslproto ssl3 --sslcertck), or equivalent in the run control file.
+
+B. Avoid APOP and use stronger authenticators.
+
+C. If you must continue to use APOP without SSL/TLS, then install
+   fetchmail 6.3.8 or newer, as it is less susceptible to the attack by
+   validating the APOP challenge more strictly to make the attack
+   harder. The fetchmail 6.3.8 source code is available from
+   <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2007-01.txt
-- 
2.43.2