fetchmail-SA-2012-01.txt 3.91 KB
Newer Older
1 2 3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

4
fetchmail-SA-2012-01: Information disclosure under active attack
5

6
Topics:		Information disclosure under active attack with block ciphers
7 8

Author:		Matthias Andree
9
Version:	1.0
10
Announced:	2012-08-29
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
Type:		information disclosure under active attack
Impact:		chosen plaintext attack theoretically possible
Danger:		low
Acknowledgment:	Apple product security

CVE Name:	CVE-2011-3389
URL:		http://www.fetchmail.info/fetchmail-SA-2012-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	- fetchmail releases 6.3.9 up to and including 6.3.21

		- Any fetchmail release when using OpenSSL versions
		  before 0.9.6i, or 0.9.7

Not affected:	- fetchmail releases 5.1.3 up to and including 6.3.8
		  but only when using sufficiently new OpenSSL releases
		- fetchmail releases 6.3.22 and newer
		  but only when using sufficiently new OpenSSL releases

		Where "sufficiently new" means 0.9.6i or newer,
		or 0.9.7a or newer, or higher numerical versions
		such as 0.9.8, 1.0.0 (any letters)

Corrected in:	2012-04-06 Git, among others, see commit
		4af941d4a4318ba3149316aaa7ffaf24bb959e93

37
		2012-08-29 fetchmail 6.3.22 release tarball
38 39 40 41 42


0. Release history
==================

43
2012-08-29 1.0	release
44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which
contains a switch to disable a countermeasure against certain attacks
against block ciphers that permit guessing the initialization vectors,
providing that an attacker can make the application (fetchmail) encrypt
some data for him -- which is not easily the case.

Stream ciphers (such as RC4) are unaffected.

While the /practical/ impact of disabling this countermeasure is unclear
at the moment, as a safety precation, the countermeasure is reenabled by
default in fetchmail versions 6.3.22 and newer.

For technical details on the attack and countermeasure and affected
OpenSSL versions, please see <http://www.openssl.org/~bodo/tls-cbc.txt>.


3. Solution
===========

Install fetchmail 6.3.22 or newer.

The fetchmail source code is always available from
83
<http://sourceforge.net/projects/fetchmail/files/>.
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

Distributors are encouraged to review the NEWS file and move forward to
6.3.22, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation.

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
interface incompatibly.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2012 by Matthias Andree, <[email protected]>.
Some rights reserved.

102 103
This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
104 105 106 107

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:
108 109 110 111 112 113 114

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA

115 116 117 118 119

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2012-01
120 121 122
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

123 124 125
iEYEARECAAYFAlN9DK4ACgkQvmGDOQUufZVCbwCgoQriSlTKD7T6wLSW/4nxvWan
sGAAnRsgZqpyHgunCA8VUlUQNKO5Z4z1
=nvvD
126
-----END PGP SIGNATURE-----