Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369403 (CVE-2011-1947) - <net-mail/fetchmail-6.3.20: Denial of service possible in STARTTLS mode (CVE-2011-1947)
Summary: <net-mail/fetchmail-6.3.20: Denial of service possible in STARTTLS mode (CVE-...
Alias: CVE-2011-1947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2011-05-30 22:37 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-08 21:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-30 22:37:03 UTC
From upstream advisory at $URL:

2. Problem description and Impact
Fetchmail version 5.9.9 introduced STLS support for POP3, version
6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
in-band SSL/TLS negotiation was not guarded by a timeout.
Depending on the operating system defaults as to TCP stream keepalive
mode, fetchmail hangs in excess of one week after sending STARTTLS were
observed if the connection failed without notifying the operating
system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after
acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
in this protocol state, and thus render fetchmail unable to complete the
poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so
can be used as a workaround.


3. Solution
Install fetchmail 6.3.20 or newer after it will have become available.
(Note that the announcements may be publicly visible quite some time
before the release is made, particularly for minor bugs.)
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-06-07 04:52:12 UTC
fetchmail 6.3.20 has been released.
Comment 2 Eray Aslan gentoo-dev 2011-06-07 05:28:49 UTC
Thank you Tim.  In the tree:

+*fetchmail-6.3.20 (07 Jun 2011)
+  07 Jun 2011; Eray Aslan <> +fetchmail-6.3.20.ebuild:
+  Version bump - security bug #369403
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-06-07 13:12:08 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-06-07 14:30:27 UTC
ppc/ppc64 stable
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-06-07 16:01:53 UTC

Am limited by not running and ISP amil account now. only the browser driven hotmail. therefore can't start the fetchmail daemon.

However, emerged ok, the conf script brought up the gui to configure fetchmail.  Passed test phase, looks ok.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-07 17:02:17 UTC
Stable for HPPA.
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-06-07 18:40:08 UTC
amd64 done. Thanks Ian
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-06-08 09:21:50 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2011-06-11 12:13:03 UTC
arm stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-06-12 11:49:35 UTC
alpha/ia64/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-06-12 18:26:27 UTC
Thanks, everyone. GLSA Vote: no.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 20:24:37 UTC
CVE-2011-1947 (
  fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after
  issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to
  cause a denial of service (application hang) by acknowledging the request
  but not sending additional packets.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:17:43 UTC
no too, and closing.