-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 fetchmail-EN-2010-03: fetchmail SASL bugs prevent successful authentication Topics: Authentication incapability in older fetchmail versions Author: Matthias Andree Version: 1.1 Announced: 2010-10-16 Impact: Denial of service URL: http://www.fetchmail.info/fetchmail-EN-2010-03.txt Project URL: http://www.fetchmail.info/ Affects: fetchmail up to and including 6.3.17 Not affected: fetchmail release 6.3.18 and newer Corrected: 2010-10-09 Git, required commit: cc50a92a07e864c3be6a895f2f7daaa426814d45 (note that you need to check out all changes up to this commit, just cherry-picking this will not suffice) 2010-10-09 fetchmail 6.3.18 release tarball 0. Release history ================== 2010-10-16 1.0 complete 2014-05-21 1.1 update BerliOS links 1. Background ============= This first "fetchmail-EN" is an errata notice, issued to notify fetchmail users and distributors of critical bugs that do not, however, expose the computer running fetchmail to security (privacy, integrity or availability) threats. The numbering is inlined with the fetchmail security advisory numbering for redundancy. fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. It supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time. 2. Problem description and Impact ================================= Fetchmail can be configured at compile time to support various AUTH or SASL schemes. Some of the schemes, notably GSSAPI, can fail in the middle of the protocol data exchange. In this case, the client (fetchmail) is supposed to abort the authentication by sending a line with just an asterisk "*". However, all fetchmail versions before 6.3.18 have not aborted failing authenticators properly (but just sent an empty line). This caused fetchmail to pick up the authentication error too late and mistake it for an error to a different scheme it tried later on. Notably, GSSAPI-enabled fetchmail was frequently reported to fail authentication against Exchange 2007 or 2010 through Debian bug trackers and the fetchmail mailing lists. This is considered sufficiently grave to warrant an erratum notice. This is a bug affecting fetchmail 6.3.17 and all previous releases. 3. Solution =========== Install fetchmail release 6.3.18 or newer. The fetchmail source code is always available from . Since the changes are non-trivial, 6.3.18 contains other unrelated important fixes (such as applying timeout to the authentication phase, or mispicking an incompatible libmd5.so), and because only full releases have been tested, no separate patch is made available. For details on what else changed in release 6.3.18, please see the NEWS file shipping with fetchmail 6.3.18, or its online copy at 4. Workaround ============= Configure the required authentication scheme explicitly in the rcfile or on the command line. When using TLS or SSL, and --sslcertck is in effect, that might be --auth password on the command line. (In the rcfile, the "--" have to be omitted.) A. Copyright, License and Warranty ================================== (C) Copyright 2010 by Matthias Andree, . Some rights reserved. This work is licensed under the Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/de/deed.en or send a letter to: Creative Commons 444 Castro Street Suite 900 MOUNTAIN VIEW, CALIFORNIA 94041 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlN9DK0ACgkQvmGDOQUufZWdAQCfYcPWZiMcEl9H2SXKf80eMktw Wc8AoNt/rtXWGD/FpPvhlBSr95eO6PF1 =5MPV -----END PGP SIGNATURE-----