Commit draft of fetchmail SA.

svn path=/branches/BRANCH_6-3/; revision=4941

diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt
new file mode 100644 (file)
index 0000000..9a8514a
--- /dev/null
+++ b/fetchmail-SA-2006-02.txt
@@ -0,0 +1,90 @@
+fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure
+
+Topics:                fetchmail cannot enforce TLS
+
+Author:                Matthias Andree
+Version:       1.0
+Announced:     2006-11-XX
+Type:          secret information disclosure
+Impact:                fetchmail can expose cleartext password over unsecure link
+               fetchmail may not detect man in the middle attacks
+Danger:                medium
+Credits:       Isaac Wilcox (bug report, collaboration on fix)
+CVE Name:      CVE-2006-5867
+URL:           http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
+Project URL:   http://fetchmail.berlios.de/
+
+Affects:       fetchmail releases <= 6.3.5
+               fetchmail release candidate 6.3.6-rc1
+
+Not affected:  fetchmail release candidate 6.3.6-rc2
+               fetchmail release 6.3.6
+
+Corrected:     2006-11-12 fetchmail 6.3.6-rc2
+
+
+0. Release history
+==================
+
+2006-11-12     internal review draft
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail has no configuration facility to enforce TLS connections.
+Configuring --sslproto 'tls1' does not cause connection aborts if TLS is
+not offered or the TLS handshake fails for POP3 or IMAP.
+Even if fetchmail is forced to validate an TLS certificate by means of
+--sslfingerprint or --sslcertck, it may expose cleartext credentials
+over an unencrypted connection.
+
+This can cause eavesdroppers to obtain the password without fetchmail's
+noticing.
+
+
+3. Workaround
+=============
+
+Use fetchmail --ssl --sslcertck --sslproto ssl3 (or equivalent in the
+run control file) if your upstream offers SSLv3-wrapped service on a
+dedicated port.
+
+
+4. Solution
+===========
+
+Download and install fetchmail 6.3.6 or a newer stable release from
+fetchmail's project site at
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2006 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2006-02.txt