fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fetchmail | Fetchmail | 5.9.9 (including) | 5.9.9 (including) |
| Fetchmail | Fetchmail | 5.9.10 (including) | 5.9.10 (including) |
| Fetchmail | Fetchmail | 5.9.11 (including) | 5.9.11 (including) |
| Fetchmail | Fetchmail | 5.9.13 (including) | 5.9.13 (including) |
| Fetchmail | Fetchmail | 6.0.0 (including) | 6.0.0 (including) |
| Fetchmail | Fetchmail | 6.1.0 (including) | 6.1.0 (including) |
| Fetchmail | Fetchmail | 6.1.3 (including) | 6.1.3 (including) |
| Fetchmail | Fetchmail | 6.2.0 (including) | 6.2.0 (including) |
| Fetchmail | Fetchmail | 6.2.1 (including) | 6.2.1 (including) |
| Fetchmail | Fetchmail | 6.2.2 (including) | 6.2.2 (including) |
| Fetchmail | Fetchmail | 6.2.3 (including) | 6.2.3 (including) |
| Fetchmail | Fetchmail | 6.2.4 (including) | 6.2.4 (including) |
| Fetchmail | Fetchmail | 6.2.5 (including) | 6.2.5 (including) |
| Fetchmail | Fetchmail | 6.2.5.1 (including) | 6.2.5.1 (including) |
| Fetchmail | Fetchmail | 6.2.5.2 (including) | 6.2.5.2 (including) |
| Fetchmail | Fetchmail | 6.2.5.4 (including) | 6.2.5.4 (including) |
| Fetchmail | Fetchmail | 6.2.6-pre4 (including) | 6.2.6-pre4 (including) |
| Fetchmail | Fetchmail | 6.2.6-pre8 (including) | 6.2.6-pre8 (including) |
| Fetchmail | Fetchmail | 6.2.6-pre9 (including) | 6.2.6-pre9 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc10 (including) | 6.2.9-rc10 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc3 (including) | 6.2.9-rc3 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc4 (including) | 6.2.9-rc4 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc5 (including) | 6.2.9-rc5 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc7 (including) | 6.2.9-rc7 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc8 (including) | 6.2.9-rc8 (including) |
| Fetchmail | Fetchmail | 6.2.9-rc9 (including) | 6.2.9-rc9 (including) |
| Fetchmail | Fetchmail | 6.3.0 (including) | 6.3.0 (including) |
| Fetchmail | Fetchmail | 6.3.1 (including) | 6.3.1 (including) |
| Fetchmail | Fetchmail | 6.3.2 (including) | 6.3.2 (including) |
| Fetchmail | Fetchmail | 6.3.3 (including) | 6.3.3 (including) |
| Fetchmail | Fetchmail | 6.3.4 (including) | 6.3.4 (including) |
| Fetchmail | Fetchmail | 6.3.5 (including) | 6.3.5 (including) |
| Fetchmail | Fetchmail | 6.3.6 (including) | 6.3.6 (including) |
| Fetchmail | Fetchmail | 6.3.6-rc1 (including) | 6.3.6-rc1 (including) |
| Fetchmail | Fetchmail | 6.3.6-rc2 (including) | 6.3.6-rc2 (including) |
| Fetchmail | Fetchmail | 6.3.6-rc3 (including) | 6.3.6-rc3 (including) |
| Fetchmail | Fetchmail | 6.3.6-rc4 (including) | 6.3.6-rc4 (including) |
| Fetchmail | Fetchmail | 6.3.6-rc5 (including) | 6.3.6-rc5 (including) |
| Fetchmail | Fetchmail | 6.3.7 (including) | 6.3.7 (including) |
| Fetchmail | Fetchmail | 6.3.8 (including) | 6.3.8 (including) |
| Fetchmail | Fetchmail | 6.3.9 (including) | 6.3.9 (including) |
| Fetchmail | Fetchmail | 6.3.9-rc2 (including) | 6.3.9-rc2 (including) |
| Fetchmail | Fetchmail | 6.3.10 (including) | 6.3.10 (including) |
| Fetchmail | Fetchmail | 6.3.11 (including) | 6.3.11 (including) |
| Fetchmail | Fetchmail | 6.3.12 (including) | 6.3.12 (including) |
| Fetchmail | Fetchmail | 6.3.13 (including) | 6.3.13 (including) |
| Fetchmail | Fetchmail | 6.3.14 (including) | 6.3.14 (including) |
| Fetchmail | Fetchmail | 6.3.15 (including) | 6.3.15 (including) |
| Fetchmail | Fetchmail | 6.3.16 (including) | 6.3.16 (including) |
| Fetchmail | Fetchmail | 6.3.17 (including) | 6.3.17 (including) |
| Fetchmail | Fetchmail | 6.3.18 (including) | 6.3.18 (including) |
| Fetchmail | Fetchmail | 6.3.19 (including) | 6.3.19 (including) |
| Fetchmail | Ubuntu | artful | * |
| Fetchmail | Ubuntu | cosmic | * |
| Fetchmail | Ubuntu | disco | * |
| Fetchmail | Ubuntu | eoan | * |
| Fetchmail | Ubuntu | groovy | * |
| Fetchmail | Ubuntu | hardy | * |
| Fetchmail | Ubuntu | lucid | * |
| Fetchmail | Ubuntu | maverick | * |
| Fetchmail | Ubuntu | natty | * |
| Fetchmail | Ubuntu | oneiric | * |
| Fetchmail | Ubuntu | precise | * |
| Fetchmail | Ubuntu | quantal | * |
| Fetchmail | Ubuntu | raring | * |
| Fetchmail | Ubuntu | saucy | * |
| Fetchmail | Ubuntu | upstream | * |
| Fetchmail | Ubuntu | utopic | * |
| Fetchmail | Ubuntu | vivid | * |
| Fetchmail | Ubuntu | wily | * |
| Fetchmail | Ubuntu | yakkety | * |
| Fetchmail | Ubuntu | zesty | * |
References
- http://gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061634.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061672.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061735.html
- http://openwall.com/lists/oss-security/2011/05/30/1
- http://openwall.com/lists/oss-security/2011/05/31/12
- http://openwall.com/lists/oss-security/2011/05/31/17
- http://openwall.com/lists/oss-security/2011/06/01/2
- http://www.fetchmail.info/fetchmail-SA-2011-01.txt
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:107
- http://www.securityfocus.com/archive/1/518251/100/0/threaded
- http://www.securityfocus.com/bid/48043
- http://www.securitytracker.com/id?1025605
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67700
- http://gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061634.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061672.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061735.html
- http://openwall.com/lists/oss-security/2011/05/30/1
- http://openwall.com/lists/oss-security/2011/05/31/12
- http://openwall.com/lists/oss-security/2011/05/31/17
- http://openwall.com/lists/oss-security/2011/06/01/2
- http://www.fetchmail.info/fetchmail-SA-2011-01.txt
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:107
- http://www.securityfocus.com/archive/1/518251/100/0/threaded
- http://www.securityfocus.com/bid/48043
- http://www.securitytracker.com/id?1025605
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67700