fetchmail-EN-2010-03.txt - fetchmail in fetchmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication

Topics:		Authentication incapability in older fetchmail versions

Author:		Matthias Andree
Version:	1.0
Announced:	2010-10-16
Impact:		Denial of service

URL:		http://www.fetchmail.info/fetchmail-EN-2010-03.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail up to and including 6.3.17

Not affected:	fetchmail release 6.3.18 and newer

Corrected:	2010-10-09 Git, required commit:
		cc50a92a07e864c3be6a895f2f7daaa426814d45
		(note that you need to check out all changes up to this
		 commit, just cherry-picking this will not suffice)

		2010-10-09 fetchmail 6.3.18 release tarball


0. Release history
==================

2010-10-16 1.0	complete


1. Background
=============

This first "fetchmail-EN" is an errata notice, issued to notify
fetchmail users and distributors of critical bugs that do not, however,
expose the computer running fetchmail to security (privacy, integrity or
availability) threats. The numbering is inlined with the fetchmail
security advisory numbering for redundancy.


fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.


2. Problem description and Impact
=================================

Fetchmail can be configured at compile time to support various AUTH or
SASL schemes.

Some of the schemes, notably GSSAPI, can fail in the middle of the
protocol data exchange.  In this case, the client (fetchmail) is
supposed to abort the authentication by sending a line with just an
asterisk "*".

However, all fetchmail versions before 6.3.18 have not aborted failing
authenticators properly (but just sent an empty line).

This caused fetchmail to pick up the authentication error too late and
mistake it for an error to a different scheme it tried later on.

Notably, GSSAPI-enabled fetchmail was frequently reported to fail
authentication against Exchange 2007 or 2010 through Debian bug trackers
and the fetchmail mailing lists.  This is considered sufficiently grave
to warrant an erratum notice.  This is a bug affecting fetchmail 6.3.17
and all previous releases.


3. Solution
===========

Install fetchmail release 6.3.18 or newer.

The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.

Since the changes are non-trivial, 6.3.18 contains other unrelated
important fixes (such as applying timeout to the authentication phase,
or mispicking an incompatible libmd5.so), and because only full releases
have been tested, no separate patch is made available.

For details on what else changed in release 6.3.18, please see the NEWS
file shipping with fetchmail 6.3.18, or its online copy at
<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>.


4. Workaround
=============

Configure the required authentication scheme explicitly in the rcfile
or on the command line.  When using TLS or SSL, and --sslcertck is in
effect, that might be --auth password on the command line. (In the
rcfile, the "--" have to be omitted.)


A. Copyright, License and Warranty
==================================

(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA



THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9/YgsACgkQvmGDOQUufZWwQwCgvBxomOVufQuUh96nEq95Mnz4
5m8AoKkBIERmVh9MzN4aJBKbqRQX+2Hq
=GwOi
-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication
5
6	Topics: Authentication incapability in older fetchmail versions
7
8	Author: Matthias Andree
9	Version: 1.0
10	Announced: 2010-10-16
11	Impact: Denial of service
12
13	URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt
14	Project URL: http://www.fetchmail.info/
15
16	Affects: fetchmail up to and including 6.3.17
17
18	Not affected: fetchmail release 6.3.18 and newer
19
20	Corrected: 2010-10-09 Git, required commit:
21	cc50a92a07e864c3be6a895f2f7daaa426814d45
22	(note that you need to check out all changes up to this
23	commit, just cherry-picking this will not suffice)
24
25	2010-10-09 fetchmail 6.3.18 release tarball
26
27
28	0. Release history
29	==================
30
31	2010-10-16 1.0 complete
32
33
34	1. Background
35	=============
36
37	This first "fetchmail-EN" is an errata notice, issued to notify
38	fetchmail users and distributors of critical bugs that do not, however,
39	expose the computer running fetchmail to security (privacy, integrity or
40	availability) threats. The numbering is inlined with the fetchmail
41	security advisory numbering for redundancy.
42
43
44	fetchmail is a software package to retrieve mail from remote POP2, POP3,
45	IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
46	message delivery agents. It supports SSL and TLS security layers through
47	the OpenSSL library, if enabled at compile time and if also enabled at
48	run time.
49
50
51	2. Problem description and Impact
52	=================================
53
54	Fetchmail can be configured at compile time to support various AUTH or
55	SASL schemes.
56
57	Some of the schemes, notably GSSAPI, can fail in the middle of the
58	protocol data exchange. In this case, the client (fetchmail) is
59	supposed to abort the authentication by sending a line with just an
60	asterisk "*".
61
62	However, all fetchmail versions before 6.3.18 have not aborted failing
63	authenticators properly (but just sent an empty line).
64
65	This caused fetchmail to pick up the authentication error too late and
66	mistake it for an error to a different scheme it tried later on.
67
68	Notably, GSSAPI-enabled fetchmail was frequently reported to fail
69	authentication against Exchange 2007 or 2010 through Debian bug trackers
70	and the fetchmail mailing lists. This is considered sufficiently grave
71	to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17
72	and all previous releases.
73
74
75	3. Solution
76	===========
77
78	Install fetchmail release 6.3.18 or newer.
79
80	The fetchmail source code is always available from
81	<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
82
83	Since the changes are non-trivial, 6.3.18 contains other unrelated
84	important fixes (such as applying timeout to the authentication phase,
85	or mispicking an incompatible libmd5.so), and because only full releases
86	have been tested, no separate patch is made available.
87
88	For details on what else changed in release 6.3.18, please see the NEWS
89	file shipping with fetchmail 6.3.18, or its online copy at
90	<http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17957>.
91
92
93	4. Workaround
94	=============
95
96	Configure the required authentication scheme explicitly in the rcfile
97	or on the command line. When using TLS or SSL, and --sslcertck is in
98	effect, that might be --auth password on the command line. (In the
99	rcfile, the "--" have to be omitted.)
100
101
102	A. Copyright, License and Warranty
103	==================================
104
105	(C) Copyright 2010 by Matthias Andree, <matthias.andree@gmx.de>.
106	Some rights reserved.
107
108	This work is licensed under the
109	Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
110
111	To view a copy of this license, visit
112	http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
113	or send a letter to:
114
115	Creative Commons
116	444 Castro Street
117	Suite 900
118	MOUNTAIN VIEW, CALIFORNIA 94041
119	USA
120
121
122
123	THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
124	Use the information herein at your own risk.
125	-----BEGIN PGP SIGNATURE-----
126	Version: GnuPG v1.4.11 (GNU/Linux)
127
128	iEYEARECAAYFAk9/YgsACgkQvmGDOQUufZWwQwCgvBxomOVufQuUh96nEq95Mnz4
129	5m8AoKkBIERmVh9MzN4aJBKbqRQX+2Hq
130	=GwOi
131	-----END PGP SIGNATURE-----

Gitorious