--- /dev/null
+fetchmail-SA-2012-01: Denial of service possible in STARTTLS mode
+
+Topics: fetchmail denial of service in STARTTLS protocol phases
+
+Author: Matthias Andree
+Version: draft
+Announced: 2012-04-06
+Type: information disclosure under active attack
+Impact: chosen plaintext attack theoretically possible
+Danger: low
+Acknowledgment: Apple product security
+
+CVE Name: CVE-2011-3389
+URL: http://www.fetchmail.info/fetchmail-SA-2012-01.txt
+Project URL: http://www.fetchmail.info/
+
+Affects: - fetchmail releases 6.3.9 up to and including 6.3.21
+
+ - Any fetchmail release when using OpenSSL versions
+ before 0.9.6i, or 0.9.7
+
+Not affected: - fetchmail releases 5.1.3 up to and including 6.3.8
+ but only when using sufficiently new OpenSSL releases
+ - fetchmail releases 6.3.22 and newer
+ but only when using sufficiently new OpenSSL releases
+
+ Where "sufficiently new" means 0.9.6i or newer,
+ or 0.9.7a or newer, or higher numerical versions
+ such as 0.9.8, 1.0.0 (any letters)
+
+Corrected in: 2012-04-06 Git, among others, see commit
+ 4af941d4a4318ba3149316aaa7ffaf24bb959e93
+
+ 2012-04-06 fetchmail 6.3.22 release tarball
+
+
+0. Release history
+==================
+
+2012-04-06 1.0 release
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP3, IMAP,
+ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents. fetchmail supports SSL and TLS security layers
+through the OpenSSL library, if enabled at compile time and if also
+enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
+well as in-band-negotiated "STARTTLS" and "STLS" modes through the
+regular protocol ports.
+
+
+2. Problem description and Impact
+=================================
+
+Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which
+contains a switch to disable a countermeasure against certain attacks
+against block ciphers that permit guessing the initialization vectors,
+providing that an attacker can make the application (fetchmail) encrypt
+some data for him -- which is not easily the case.
+
+Stream ciphers (such as RC4) are unaffected.
+
+While the /practical/ impact of disabling this countermeasure is unclear
+at the moment, as a safety precation, the countermeasure is reenabled by
+default in fetchmail versions 6.3.22 and newer.
+
+For technical details on the attack and countermeasure and affected
+OpenSSL versions, please see <http://www.openssl.org/~bodo/tls-cbc.txt>.
+
+
+3. Solution
+===========
+
+Install fetchmail 6.3.22 or newer.
+
+The fetchmail source code is always available from
+<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+Distributors are encouraged to review the NEWS file and move forward to
+6.3.22, rather than backport individual security fixes, because doing so
+routinely misses other fixes crucial to fetchmail's proper operation,
+for which no security announcements are issued, or documentation.
+
+Fetchmail 6.3.X releases have always been made with a focus on unchanged
+user and program interfaces so as to avoid disruptions when upgrading
+from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
+interface incompatibly.
+
+
+A. Copyright, License and Non-Warranty
+======================================
+
+(C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons Attribution-NoDerivs
+3.0 Germany License (CC BY-ND 3.0).
+
+To view a copy of this license, visit
+http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
+or send a letter to:
+Creative Commons, 444 Castro Street, Suite 900,
+Mountain View, California, 94041, USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END of fetchmail-SA-2012-01
projects / ~andy / fetchmail / commitdiff