Menu
▾
▴
Re: [Fetchmail-users] ANNOUNCE: The 6.5.7.rc1 release of fetchmail is available (SMTP AUTH fixes & .netrc support - NO (START)TLS yet)
|
From: axreios <rp...@am...> - 2025-10-08 19:21:15
|
This RC is working well for me using ESMTP protocol to obtain emails from my ISP's mailhost for two separate accounts. Compiled without error on up-to-date Voidlinux and fetching mail without error. A tip of the hat to MA! ax On Wed, Oct 08, 2025 at 04:40:34PM +0200, Matthias Andree via Fetchmail-users wrote: >The 6.5.7.rc1 release of fetchmail is now available at the usual locations, >including <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>. > > >Please test this especially if >+ you use SMTP AUTH (esmtppassword) >+ and/or want to store your SMTP passwords in .netrc >and share feedback mentioning the 6.5.7.rc1 version via list, >by e-mail or, if you find a bug, Gitlab issue (account required) at >https://gitlab.com/fetchmail/fetchmail/-/issues - >note for bug reports that AUTH PLAIN and AUTH LOGIN data must be redacted >from your reports, these can be reversed to reveal your password! > >Reminder: only subscribers to the fetchmail mailing lists can send mail there. > > >Plan: > >I intend this to further clean up the SMTP AUTH code, which I saw necessary >when fixing the security bug in 6.5.6, and collect the translations, which >I could not wait for when making the security bugfix release. > >If we don't see regressions, I intend to release 6.5.7 in c. 10 days. > >Afterwards, I intend to quickly follow up with an unplanned but necessary >fetchmail 6.6.0 feature release that will add TLS and STARTTLS support for >SMTP because we don't have strong protection for SMTP passwords yet. > > >The source archive is available at: ><https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.7.rc1.tar.xz/download> > >The detached GnuPG signature is available at: ><https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.7.rc1.tar.xz.asc/download> > >The SHA256 hashes for the tarballs are: >SHA2-256(fetchmail-6.5.7.rc1.tar.xz)= 2aa57f8cfe117dcfaf0a481a8c607dc401c15603bcb641bc610ec794c398cb9a > > >Here are the release notes: >-------------------------------------------------------------------------------- >fetchmail-6.5.7 (not yet released): > >## BUGFIX: >* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't > become a proposed standard, and is only the third method fetchmail would try, > if CRAM-MD5 and PLAIN weren't offered) required that the server returned > a 334 code followed by a blank and by a decodable base64 challenge we ignored > anyways. This is in line with RFC 4952. > However, to improve compatibility, fetchmail now accepts anything that > starts with "334 " and disregards the remainder of the line. > At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available > everywhere AUTH LOGIN is, and is specified in IETF RFC 4616. >* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are > defined, check for errors, and skip servers that do not understand EHLO, > because we cannot negotiate supported authentication schemes with them. > This should avoid attempting to send a lot of messages and see them rejected. >* When authenticating to an SMTP server, do not send client abort "*" when > we receive any other server reply but 334. >* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM:<>. This might > apply when we only have a server's IP address and need to quality > addresses without domain. Fixes Debian Bug#1080025. >* SMTP AUTH can now look up passwords from the .netrc file - for that, > fetchmail's esmtpname setting must match the login for the given host in > .netrc. Fixes Debian Bug#1056651 by Ticker Berkin. > >## TRANSLATION UPDATES were contributed by these fine people - thank you! >* cs: Petr Pisar [Czech] >* eo: Keith Bowes [Esperanto] >* es: Cristian Othón Martínez Vera [Spanish] >* fr: Frédéric Marchal [French] >* ja: Takeshi Hamasaki [Japanese] >* pl: Jakub Bogusz [Polish] >* ro: Remus-Gabriel Chelu [Romanian] >* sv: Göran Uddeborg [Swedish] > >------------------------------------------------------------------------------- >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >fetchmail-SA-2025-01: SMTP AUTH denial of service > >Topics: fetchmail SMTP client can crash when authenticating > >Author: Matthias Andree >Version: 1.0 >Announced: 2025-10-03 >Type: failure to validate network input in certain configurations >Impact: fetchmail tries to read from address 1 and can crash >Severity: moderate > >URL: https://www.fetchmail.info/fetchmail-SA-2025-01.txt >Project URL: https://www.fetchmail.info/ >CVE Name: pending, requested via MITRE as CNA-LR > >Affects: - fetchmail releases up to and including 6.5.5 > - fetchmail 7.0.0 pre-releases > >Not affected: - fetchmail 6.5 releases 6.5.6 and newer > >Introduced in: 2002-03-09 fetchmail release 5.9.9 added SMTP AUTH > >Corrected in: 2025-10-03 Git commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8 > 2025-10-03 fetchmail release 6.5.6 > > >1. Background >============= > >fetchmail is a software package to retrieve mail from remote POP3, IMAP, >ETRN or ODMR servers and forward it to local SMTP, LMTP servers or >message delivery agents. > >fetchmail defaults to using the SMTP server on "localhost" >and to not attempting to authenticate, unless configured otherwise. > >fetchmail also supports a "daemon" mode, where it runs over extended time >and periodically polls the upstream servers. This can detach fetchmail >from the controlling terminal into the background, or - with a "nodetach" setting >- - keep attached to the controlling terminal, which also eases use by >service supervisors. > > >2. Problem description and Impact >================================= > >fetchmail's SMTP client, when configured to authenticate [1], is susceptible >to a protocol violation where, when a trusted but malicious or malfunctioning >SMTP server responds to an authentication request with a "334" code but without a >following blank on the line, it will attempt to start reading from memory >address 0x1 to parse the server's SASL challenge. This address is constant and not >under the attacker's control. This event will usually cause a crash of fetchmail. > If fetchmail in this situation was running in daemon mode, this mode is also >terminated by the crash. > >[1] This requires the esmtpname and esmtppassword options to be configured in >the configuration file and the plugout and mda options to be inactive. > >As a word of warning, this vulnerability has eluded several static code analyzers. > > >3. Solutions >============ > >General recommendation: if running fetchmail in the background or in daemon >mode, ensure that the daemon is supervised and crashes are reported so that >action can be taken about the malfunctioning SMTP server, or on fetchmail's end >to replace local delivery by different server or other means. > > >3a. Install fetchmail 6.5.6 or newer. > >The fetchmail source code is available from ><https://sourceforge.net/projects/fetchmail/files/> and ><https://gitlab.com/fetchmail/fetchmail/-/releases> > >The Git-based source code repository is currently published via >https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_6x (primary) >https://sourceforge.net/p/fetchmail/git/ci/legacy_6x/tree/ (copy) > > >3b. Apply the smtp.c patch from the URL below and rebuild fetchmail: ><https://gitlab.com/fetchmail/fetchmail/-/commit/4c3cebfa4e659fb778ca2cae0ccb3f69201609a8> > > >A. Copyright, License and Non-Warranty >====================================== > >(C) Copyright 2025 by Matthias Andree, <mat...@gm...>. >Some rights reserved. > >This file is licensed under CC BY-ND 4.0. To view a copy of this license, >visit <http://creativecommons.org/licenses/by-nd/4.0/> > >THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. >Use the information herein at your own risk. > >END of fetchmail-SA-2025-01 >-----BEGIN PGP SIGNATURE----- > >iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmjfuj8ACgkQ5BKxVu/z >hVoXfRAApBdTub7EDpczbGlHfuqM96xFFRXHahETtL3sPSTNf+EB5CpBH+t5wV2M >zeYcdbYLgf0X/nT8+ua2lyP8c5YW5OOntINa49HOwYhTnIf/Msju4NS9RExigOxM >xpUAFNO8Mci79q7NWxrNJkOZIy5OfM1cTxXfECbibWjg2MsbZj7BaJu3EdkEmpOp >bzKBbL87Fv3dfYYvrRgBeJo7jvl9PqqNgY+WtBSC4lkHKstA0QaEYvkZDzQW4pwC >ZUQASWpDHEQTU5VSaKNXEMy3g9nqmLtMBx66VH8Gzv/dh73x5rouiExKQIjKBMxD >LUkibZ2iQOQR2gETd/QwtY98W5KGCW5pjVdIV2SJsoPOte0OEaMI5aersREmI52O >R++3dmOeKbT/DW6SGCvY8xGKXqCfQfQy66XY3/ZXBpE7xJITGEzjiYqOv7Tt5L8E >3VKCRC/MVbkrPF8Hnh9It75OdxO6v1gG/GNBOStiHVU6cOhPQmwykhTug4UjfOzZ >0n6c5DNk7Lz3m1AjWHIGgO7v0rHWibH5rw3ksBQi0X3OSv4xqrSTHsQz0WV+l3KS >q98e0GtG5g/aKQL1EWp+/VNXjrhm3I+Wg+haR3zJ/PcTdxEfpaXW4RUTsK2MAxvm >1HPZuyhLFpgsptFGvPbJONUnah/OWttaPCfrM5neP9wZzPHLnjs= >=Su9H >-----END PGP SIGNATURE----- >_______________________________________________ >Fetchmail-users mailing list >Fet...@li... >https://lists.sourceforge.net/lists/listinfo/fetchmail-users |
