+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode
-Topics: Denial of service in STARTTLS protocol phases
+Topics: fetchmail denial of service in STARTTLS protocol phases
Author: Matthias Andree
-Version: XXX
-Announced: XXX
+Version: 1.0
+Announced: 2011-06-06
Type: Unguarded blocking I/O can cause indefinite application hang
Impact: Denial of service
Danger: low
+Acknowledgment: Thomas Jarosch for sending detailed report
CVE Name: CVE-2011-1947
-CVSSv2:
-CVSS scores:
+CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
+CVSS scores: 4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL: http://www.fetchmail.info/
2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)
- pending fetchmail 6.3.20 release tarball
+ 2011-06-06 fetchmail 6.3.20 release tarball
0. Release history
==================
2011-05-30 0.1 first draft (visible in Git and through oss-security)
+2011-06-06 1.0 release
1. Background
3. Solution
===========
-Install fetchmail 6.3.20 or newer after it will have become available.
-(Note that the announcements may be publicly visible quite some time
-before the release is made, particularly for minor bugs.)
+Install fetchmail 6.3.20 or newer.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued. Several such
-(long-standing) bugs were fixed through recent releases.
+(long-standing) bugs were fixed through recent releases, and an erratum
+notice for SASL authentication was issued.
Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
interface incompatibly.
-There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases!
-
4. Workaround
=============
-A. If supported by the server's configuration, fetchmail can be run in
+If supported by the server's configuration, fetchmail can be run in
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).
- It is generally advisable to use --sslcertck to enable SSL
-certificate validation.
-B. If the operating system supports setting all TCP sockets to keepalive
-mode by default, and possibly lowering the delay until keepalive probes
-start, enabling this configuration can protect against hangs through
-silently broken connections, but not against a malicious server.
+It is generally also advisable to enforce SSL certificate validation, by
+either using --sslcertck on the command line, or using sslcertck in a
+"default" configuration entry of the rcfile, or using sslcertck in
+each of the relevant individual poll descriptions of the rcfile.
A. Copyright, License and Non-Warranty
(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
-This work is licensed under the Creative Commons
-Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
+This work is licensed under the
+Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
+
To view a copy of this license, visit
-http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
Creative Commons
-171 Second Street
-Suite 300
-SAN FRANCISCO, CALIFORNIA 94105
+444 Castro Street
+Suite 900
+MOUNTAIN VIEW, CALIFORNIA 94041
USA
Use the information herein at your own risk.
END of fetchmail-SA-2011-01
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZUICACg5GqwtyAFuOamJ3JtribzMe9U
+k20AnRLlwx4HBC/Gk3AX1dWSrrQc8WYB
+=GFzg
+-----END PGP SIGNATURE-----