LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Truely a day to celebrate

Truely a day to celebrate

Posted Feb 21, 2007 16:59 UTC (Wed) by nigelm (subscriber, #622)
Parent article: ESR's goodbye note

I have to say, I just don't see the downside... well unless you are an Ubuntu user.

Maybe we could celebrate by disposing of fetchmail at the same time.

(Log in to post comments)

Truely a day to celebrate

Posted Feb 21, 2007 19:00 UTC (Wed) by malex (subscriber, #15692) [Link]

Hey, hey, hold your axe mister :)

Fetchmail still saves the day for many people. I know it does for me as
kmail was crashing and mangling my inbox on the Exchange server I must use
for work email and fetchmail/procmail is painless and bulletproof so far.

Truely a day to celebrate

Posted Feb 21, 2007 20:18 UTC (Wed) by DonDiego (subscriber, #24141) [Link]

You may wish to try getmail to replace fetchmail. Works beautifully, is smaller, easier to configure and does not have a fresh exploit every other week.

getmail

Posted Feb 21, 2007 20:38 UTC (Wed) by rfunk (subscriber, #4054) [Link]

Fresh exploit every other week? The only security issues in fetchmail in at least the past
year or so have been one or two related to whether or not the connection is encrypted,
and one denial-of-service vulnerability. (fetchmail 6.2.x had lots of vulnerabilities, but that
version has been dead for a long time.)

There's also a lot of knowledge about weird POP/IMAP servers in the fetchmail code.

BTW, ESR hasn't had anything to do with fetchmail in a few years; I took maintainership
from him in about mid-2004 after he'd let it stagnate for a while, and these days Matthias
Andree does almost all of the work.

getmail

Posted Feb 22, 2007 0:09 UTC (Thu) by DonDiego (subscriber, #24141) [Link]

I'm too lazy to look up the details but fetchmail made regular appearances in the LWN security section back when I still used it. Whether current versions are any better I don't care at all - I've found a better replacement.

getmail

Posted Feb 22, 2007 10:30 UTC (Thu) by DonDiego (subscriber, #24141) [Link]

Read this week's security page, fetchmail makes a double appearance ...

fetchmail security

Posted Feb 22, 2007 12:58 UTC (Thu) by rfunk (subscriber, #4054) [Link]

Yes, on exactly the issues I mentioned.

Let me know when you figure out the difference between "New
Vulnerabilities" and "Updated Vulnerabilities".

fetchmail security

Posted Feb 22, 2007 15:03 UTC (Thu) by ofeeley (guest, #36105) [Link]

Besides which, programs with unreported vulnerabilities are probably just programs not receiving scrutiny and patching from a good maintainer ;)

fetchmail security

Posted Feb 23, 2007 6:03 UTC (Fri) by DonDiego (subscriber, #24141) [Link]

No. Although the examples are admittedly few there are securely designed and implemented programs that don't reveal vulnerabilities even under close scrutiny. vsftpd comes to mind.

fetchmail security

Posted Feb 23, 2007 6:16 UTC (Fri) by DonDiego (subscriber, #24141) [Link]

I'm apparently not making myself clear here .. I don't give a damn about new versions ever since I found a replacement that I consider superior in every respect (and no, I don't care about supporting obscure broken servers). I had grown discontent with the size of fetchmail and its man page for some time already. What then finally made me look for a replacement was fetchmail showing up on the security page every other week...

You may or may not have made fetchmail secure (BTW, ever tried fuzzing it?). If you did, congratulations. I'm quite confident you didn't reduce its size considerably, though.

fetchmail vulnerabilities in the last year or so

Posted Feb 23, 2007 6:32 UTC (Fri) by DonDiego (subscriber, #24141) [Link]

Right on the fetchmail homepage I find not one or two but four advisories from the last year or so, all of which apply to 6.3.x:

CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.

CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.

CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.

CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.

fetchmail vulnerabilities in the last year or so

Posted Feb 23, 2007 6:52 UTC (Fri) by rfunk (subscriber, #4054) [Link]

This is getting ridiculous. I said one of two DoS and one encryption
issue, in the past year or so. You listed one encryption issue from
2006, two DoS from 2006, and a DoS from 2005. It's now 2007. By my
count the situation is exactly as I said, but if you want to include the
2005 DoS in there then you can have a cookie or whatever for counting
three DoS instead of 1-2.

Look, I couldn't care less if you prefer getmail over fetchmail. But if
you're going to push getmail or criticize fetchmail, please do it with
something approximating the truth. Fetchmail's post-ESR security record
of a handful of low-risk vulnerabilities is far better than your
characterization of "a fresh exploit every other week."

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds