Description of problem: fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. Version-Release number of selected component (if applicable): 6.3.19-3mga1 How reproducible: N/A Also see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1947 Text at the fetchmail sight references the git commit with the fix, although they recommend upgrading to 6.3.20. I'll defer from opinion on which path to take. I am not finding a PoC to test the fix. Possible Advisory text: Certain versions of fetchmail do not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. Updated packages correct this issue. This issue has been reserved the CVE identifier of CVE-2011-1947 at http://cve.mitre.org.
no interest in this, closing
Status: NEW => RESOLVEDResolution: (none) => OLD
reopening
Status: RESOLVED => REOPENEDCC: (none) => dmorganecResolution: OLD => (none)
update pushed in update_testing
ok for qa-team ?
Assignee: bugsquad => qa-bugs
I'd expect it to be available at ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/1/i586/media/core/updates_testing by now, but it isn't. Can you check the submit?
CC: (none) => davidwhodgins
rejected by the BS. I will fix the package today.
I can confirm that fetchmail works. I don't like the user interface, of fetchmailconf, but it seems to work, once you get used to pressing enter, instead of clicking on a button for each entry. After I got it working with an ssl encrypted pop3 account on yahoo.ca, I added the user account settings the daemon with cat /home/dave/.fetchmailrc >> /etc/fetchmailrc, then started the fetchmail service. It seems to work ok. Is there a POC for the dos? If not, I consider the i586 testing for the srpm fetchmail-6.3.20-1.1.mga1.src.rpm finished.
Verified operation of fetchmail-6.3.20-1.1.mga1.src.rpm on x86_64 Tested POP3 and IMAP accounts. Advisory: A vulnerability has been found in fetchmail that could allow a remote server to cause a Denial of Service, CVE-2011-1947. This updated package fixes the vulnerability
Keywords: (none) => validated_updateCC: (none) => derekjenn, qa-bugsAssignee: qa-bugs => security
update pushed.
Status: REOPENED => RESOLVEDResolution: (none) => FIXED