From: Matthias A. <mat...@gm...> - 2009-08-17 19:29:54
|
Greetings, fetchmail 6.3.11 was recently released to address an SSL/TLS certificate verification weakness that allowed man-in-the-middle (MITM) attacks to go unnoticed with specially-crafted certificates. Unfortunately, the fix has had a minor flaw that causes program aborts on SSL connection on some systems, depending on the compiler used, and on the libc version and configuration, short, on the computer systems. As a workaround, fetchmail -v (i. e. verbose mode) should work. Jürgen Edner has reported the issue. Thomas Heinz has independently reporter, and also analyzed and fixed the issue, see http://bugs.gentoo.org/show_bug.cgi?id=280760 for details. I approve of and am including his patch below and also as attachment for your convenience. Please apply on top of 6.3.11 and rebuild your fetchmail version if 6.3.11 causes problems similar to the one reported in http://article.gmane.org/gmane.mail.fetchmail.user/8976 . Unfortunately, this fix propagation was also delayed by a one-week vacation of the active fetchmail maintainer. I'm sorry for the inconvenience that 6.3.11 has caused. I'll see to a soonish 6.3.12 release (which also updates a few translations that 6.3.11 had to leave pending as the fix was somewhat urgent) for those who are uncomfortable with patching. Best regards Matthias --- socket.c.org 2009-08-08 16:01:49.000000000 +0200 +++ socket.c 2009-08-08 16:03:17.000000000 +0200 @@ -628,9 +628,10 @@ report(stdout, GT_("Unknown Issuer CommonName\n")); } if ((i = X509_NAME_get_text_by_NID(subj, NID_commonName, buf, sizeof(buf))) != -1) { - if (outlevel >= O_VERBOSE) + if (outlevel >= O_VERBOSE) { report(stdout, GT_("Server CommonName: %s\n"), (tt = sdump(buf, i))); - xfree(tt); + xfree(tt); + } if ((size_t)i >= sizeof(buf) - 1) { /* Possible truncation. In this case, this is a DNS name, so this * is really bad. We do not tolerate this even in the non-strict case. */ |