1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication
6 Topics: Authentication incapability in older fetchmail versions
8 Author: Matthias Andree
11 Impact: Denial of service
13 URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt
14 Project URL: http://www.fetchmail.info/
16 Affects: fetchmail up to and including 6.3.17
18 Not affected: fetchmail release 6.3.18 and newer
20 Corrected: 2010-10-09 Git, required commit:
21 cc50a92a07e864c3be6a895f2f7daaa426814d45
22 (note that you need to check out all changes up to this
23 commit, just cherry-picking this will not suffice)
25 2010-10-09 fetchmail 6.3.18 release tarball
31 2010-10-16 1.0 complete
37 This first "fetchmail-EN" is an errata notice, issued to notify
38 fetchmail users and distributors of critical bugs that do not, however,
39 expose the computer running fetchmail to security (privacy, integrity or
40 availability) threats. The numbering is inlined with the fetchmail
41 security advisory numbering for redundancy.
44 fetchmail is a software package to retrieve mail from remote POP2, POP3,
45 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
46 message delivery agents. It supports SSL and TLS security layers through
47 the OpenSSL library, if enabled at compile time and if also enabled at
51 2. Problem description and Impact
52 =================================
54 Fetchmail can be configured at compile time to support various AUTH or
57 Some of the schemes, notably GSSAPI, can fail in the middle of the
58 protocol data exchange. In this case, the client (fetchmail) is
59 supposed to abort the authentication by sending a line with just an
62 However, all fetchmail versions before 6.3.18 have not aborted failing
63 authenticators properly (but just sent an empty line).
65 This caused fetchmail to pick up the authentication error too late and
66 mistake it for an error to a different scheme it tried later on.
68 Notably, GSSAPI-enabled fetchmail was frequently reported to fail
69 authentication against Exchange 2007 or 2010 through Debian bug trackers
70 and the fetchmail mailing lists. This is considered sufficiently grave
71 to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17
72 and all previous releases.
78 Install fetchmail release 6.3.18 or newer.
80 The fetchmail source code is always available from
81 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
83 Since the changes are non-trivial, 6.3.18 contains other unrelated
84 important fixes (such as applying timeout to the authentication phase,
85 or mispicking an incompatible libmd5.so), and because only full releases
86 have been tested, no separate patch is made available.
88 For details on what else changed in release 6.3.18, please see the NEWS
89 file shipping with fetchmail 6.3.18, or its online copy at
90 <http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>.
96 Configure the required authentication scheme explicitly in the rcfile
97 or on the command line. When using TLS or SSL, and --sslcertck is in
98 effect, that might be --auth password on the command line. (In the
99 rcfile, the "--" have to be omitted.)
102 A. Copyright, License and Warranty
103 ==================================
105 (C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
106 Some rights reserved.
108 This work is licensed under the
109 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
111 To view a copy of this license, visit
112 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
118 MOUNTAIN VIEW, CALIFORNIA 94041
123 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
124 Use the information herein at your own risk.
125 -----BEGIN PGP SIGNATURE-----
126 Version: GnuPG v1.4.11 (GNU/Linux)
128 iEYEARECAAYFAk9/YgsACgkQvmGDOQUufZWwQwCgvBxomOVufQuUh96nEq95Mnz4
129 5m8AoKkBIERmVh9MzN4aJBKbqRQX+2Hq
131 -----END PGP SIGNATURE-----
projects / ~andy / fetchmail / blob