fetchmail security announcement fetchmail-SA-2011-01 (CVE-2011-1947)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode Topics: fetchmail denial of service in STARTTLS protocol phases Author: Matthias Andree Version:1.0 Announced: 2011-06-06 Type: Unguarded blocking I/O can cause indefinite application hang Impact: Denial of service Danger: low CVE Name: CVE-2011-1947 CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C) CVSS scores:4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7 This is calculated without Environmental Score. URL:http://www.fetchmail.info/fetchmail-SA-2011-01.txt Project URL:http://www.fetchmail.info/ Affects:fetchmail releases 5.9.9 up to and including 6.3.19 Not affected: fetchmail release 6.3.20 and newer Corrected in: 2011-05-26 Git, among others, see commit 7dc67b8cf06f74aa57525279940e180c99701314 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing) 2011-06-06 fetchmail 6.3.20 release tarball 0. Release history == 2011-05-30 0.1 first draft (visible in Git and through oss-security) 2011-06-06 1.0 release 1. Background = fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated STARTTLS and STLS modes through the regular protocol ports. 2. Problem description and Impact = Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout. Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes. A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service. SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround. 3. Solution === Install fetchmail 6.3.20 or newer. The fetchmail source code is always available from http://developer.berlios.de/project/showfiles.php?group_id=1824. Distributors are encouraged to review the NEWS file and move forward to 6.3.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued. Several such (long-standing) bugs were fixed through recent releases, and an erratum notice for SASL authentication was issued. Fetchmail 6.3.X releases have always been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.X to 6.3.Y with Y X. Care was taken to not change the interface incompatibly. 4. Workaround = If supported by the server's configuration, fetchmail can be run in ssl-wrapped rather than starttls mode. To that extent, the ssl sslproto ssl3 option must be configured (possibly replacing sslproto tls1 where configured) to the rcfile, or --ssl --sslproto ssl3 can be given on the command line (where it applies to all poll configurations). It is generally also advisable to enforce SSL certificate validation, by either using --sslcertck on the command line, or using sslcertck in a default configuration entry of the rcfile, or using sslcertck in each of the relevant individual poll descriptions of the rcfile. A. Copyright, License and Non-Warranty == (C) Copyright 2011 by Matthias Andree, matthias.and...@gmx.de. Some rights reserved. This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Germany License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to Creative Commons 171 Second Street Suite 300 SAN FRANCISCO, CALIFORNIA 94105 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2011-01 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk3swwUACgkQvmGDOQUufZWaBACdHHSAiQZ5OIOur3vflKbzbIi2 WbkAni+ROgf+9IU1rE0j8RJKvzZrJfIP =d/Bl -END PGP SIGNATURE-
fetchmail security announcement fetchmail-SA-2010-02 (CVE-2010-1167)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fetchmail-SA-2010-02: Denial of service in debug mode w/ multichar locales Topics: Denial of service in debug output Author: Matthias Andree Version:1.0 Announced: 2010-05-06 Type: Unbounded allocation of memory until exhaustion Impact: Denial of service Danger: low CVE Name: CVE-2010-1167 CVSSv2: (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:O/RC:C) CVSS scores:3.2, Base 4.3 (Impact 2.9, Exploitability 8.6), Temporal 3.2 This is calculated without Environmental Score. URL:http://www.fetchmail.info/fetchmail-SA-2010-02.txt Project URL:http://www.fetchmail.info/ Affects:fetchmail releases 4.6.3 up to and including 6.3.16 Not affected: fetchmail release 6.3.17 and newer Corrected: 2010-04-24 Git, required commits: 167fa2093e82f891eb2fcb6eaa0b1eb3685f44e3 ec06293134b85876f9201d8a52b844c41581b2b3 2010-04-30 fetchmail 6.3.17-pre1 tarball 2010-05-06 fetchmail 6.3.17 release tarball 0. Release history == 2010-04-18 0.1 first draft (visible in SVN and through oss-security) 2010-04-19 0.2 add note announcements may appear before releases 2010-04-20 0.3 add CVE name, fix Type: 2010-04-24 0.4 revise patch 2010-04-29 0.5 add info on contributing/mitigating factors 2010-06-05 1.0 complete 1. Background = fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. It supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time. 2. Problem description and Impact = In debug mode (-v -v), fetchmail prints information that was obtained from the upstream server (POP3 UIDL lists) or from message headers retrieved from it. If printing such information fails, for instance because there are invalid multibyte character sequences in this information (message headers), fetchmail will misinterpret this condition, and believe that the buffer was too small, and reallocate a bigger one (with linearly increasing buffer size), and repeat, until the allocation fails. At that point, fetchmail will abort. The exact combination of contributing and mitigating factors is not fully understood; GNU glibc 2.7 and 2.10.1 on i586 report EILSEQ when printing invalid sequences through a %.*s format string in multibyte locales such as de_DE.UTF-8; NetBSD 5, FreeBSD 8 and Solaris 10 do not. However, the issue is a genuine fetchmail bug that deserves a fix. Note that the Affects: line above may be inaccurate, and it may be that versions before 5.6.6 are actually unaffected. The author was unable to compile such old fetchmail versions to verify the existence of the bug. Given that other security issues are present in such versions, those should not be used, and the wider version range was listed as vulnerable to err towards the safe. 3. Solution === There are two alternatives, either of them by itself is sufficient: a. Apply the patch found in section B of this announcement to fetchmail 6.3.14 or newer, recompile and reinstall it. b. Install fetchmail 6.3.17 or newer after it will have become available. (Note that the announcements may be publicly visible quite some time before the release is made, particularly for minor bugs.) The fetchmail source code is always available from http://developer.berlios.de/project/showfiles.php?group_id=1824. 4. Workaround = Run fetchmail with at most one -v (--verbose) option. A. Copyright, License and Warranty == (C) Copyright 2010 by Matthias Andree, matthias.and...@gmx.de. Some rights reserved. This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Germany License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to Creative Commons 171 Second Street Suite 300 SAN FRANCISCO, CALIFORNIA 94105 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. B. Patch to remedy the problem == Note that when taking this from a GnuPG clearsigned file, the lines starting with a - character are prefixed by another - (dash + blank) combination. Either feed this file through GnuPG to strip them, or strip them manually. You may want to use the -p1 flag to patch. Whitespace differences can usually be ignored by invoking patch -l, so try this if the patch does not apply. diff --git a/rfc822.c b/rfc822.c index 6f2dbf3..dbcda32 100644 - --- a/rfc822.c +++ b/rfc822.c @@ -25,6 +25,7 @@ MIT license. Compile with -DMAIN to build the demonstrator. #include stdlib.h #include fetchmail.h
fetchmail security announcement fetchmail-SA-2009-01 (CVE-2009-2666)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
fetchmail-SA-2009-01: Improper SSL certificate subject verification
Topics: Improper SSL certificate subject verification
Author: Matthias Andree
Version:1.0
Announced: 2009-08-06
Type: Allows undetected Man-in-the-middle attacks against SSL/TLS.
Impact: Credential disclose to eavesdroppers.
Danger: medium
CVSSv2 vectors: (AV:N/AC:M/Au:N/C:P/I:N/A:N) (E:H/RL:OF/RC:C)
CVE Name: CVE-2009-2666
URL:http://www.fetchmail.info/fetchmail-SA-2009-01.txt
Project URL:http://www.fetchmail.info/
Affects:fetchmail releases up to and including 6.3.10
Not affected: fetchmail release 6.3.11 and newer
Corrected: 2009-08-04 fetchmail SVN (rev 5389)
References: Null Prefix Attacks Against SSL/TLS Certificates,
Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.
CVE-2009-2408, Mozilla Firefox 3.5 and NSS 3.12.3
improper handling of '\0' characters in domain names in
the Subject CN field of X.509 certificates.
0. Release history
==
2009-08-05 0.1 first draft (visible in SVN)
2009-08-06 1.0 first release
1. Background
=
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.
2. Problem description and Impact
=
Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
certificates that contain embedded NUL characters in the Common Name or
subjectAltName fields of ITU-T X.509 certificates.
Applications that would treat such X.509 strings as NUL-terminated C
strings (rather than strings that contain an explicit length field)
would only check the part up to and excluding the NUL character, so that
certificate names such as www.good.example\0www.bad.example.com would be
mistaken as a certificate name for www.good.example. fetchmail also had
this design and implementation flaw.
Note that fetchmail should always be forced to use strict certificate
validation through either of these option combinations:
--sslcertck --ssl --sslproto ssl3(for service on SSL-wrapped ports)
or
--sslcertck --sslproto tls1 (for STARTTLS-based services)
(These are for the command line, in the rcfile, you will need to omit
the respective leading --).
The default is relaxed checking for compatibility with historic versions.
3. Solution
===
There are two alternatives, either of them by itself is sufficient:
a. Apply the patch found in section B of this announcement to
fetchmail 6.3.10, recompile and reinstall it.
b. Install fetchmail 6.3.11 or newer after it will have become available.
The fetchmail source code is always available from
http://developer.berlios.de/project/showfiles.php?group_id=1824.
4. Workaround
=
Obtain the server fingerprints through a separate secure channel and
configure them with the sslfingerprint option, and enable the sslcertck
option.
A. Copyright, License and Warranty
==
(C) Copyright 2009 by Matthias Andree, matthias.and...@gmx.de.
Some rights reserved.
This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
B. Patch to remedy the problem
==
Note that when taking this from a GnuPG clearsigned file, the lines
starting with a - character are prefixed by another - (dash +
blank) combination. Either feed this file through GnuPG to strip them,
or strip them manually.
Whitespace differences can usually be ignored by invoking patch -l,
so try this if the patch does not apply.
Index: socket.c
===
- --- ./socket.c~
+++ ./socket.c
@@ -632,6 +632,12 @@
report(stderr, GT_(Bad certificate: Subject
CommonName too long!\n));
return (0);
}
+ if ((size_t)i strlen(buf)) {
+ /* Name contains embedded NUL characters, so we
complain. This is likely
+* a certificate spoofing attack. */
+ report(stderr, GT_(Bad certificate: Subject
CommonName contains NUL, aborting!\n));
+ return 0;
+ }
if
fetchmail REVISED security announcement fetchmail-SA-2008-01 (CVE-2008-2711)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 fetchmail-SA-2008-01: Crash on large log messages in verbose mode Topics: Crash in large log messages in verbose mode. Author: Matthias Andree Version:1.2 Announced: 2008-06-17 Type: Dereferencing garbage pointer triggered by outside circumstances Impact: denial of service possible Danger: low CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C) Credits:Petr Uzel (fix), Petr Cerny (analysis), Gunter Nau (bug report) CVE Name: CVE-2008-2711 URL:http://www.fetchmail.info/fetchmail-SA-2008-01.txt Project URL:http://www.fetchmail.info/ Affects:fetchmail release before and excluding 6.3.9 fetchmail release candidate 6.3.9-rc1 Not affected: fetchmail release 6.3.9 and newer fetchmail release candidate 6.3.9-rc2 and newer systems without varargs support. Corrected: 2008-06-24 fetchmail SVN (rev 5205) References: https://bugzilla.novell.com/show_bug.cgi?id=354291 http://developer.berlios.de/patch/?func=detailpatchpatch_id=2492group_id=1824 0. Release history == 2008-06-13 1.0 first draft for MITRE/CVE (visible in SVN, posted to oss-security) 2008-06-17 1.0 published on http://www.fetchmail.info/ 2008-06-17 1.1 Corrected typo in Type: above (trigged - triggered) 2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel) 1. Background = fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named fetchmailconf to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact = Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame. It is unknown whether code can be injected remotely, but given that the segmentation fault is caused by read accesses, the relevant data is not under the remote attacker's control and no buffer overrun situation is present that would allow altering program /flow/, it is deemed rather unlikely that code can be injected. Note that the required -vv configuration at hand is both non-default and also not common in automated (cron job) setups, but usually used in manual debugging, so not many systems would be affected by the problem. Nonetheless, in vulnerable configurations, it is remotely exploitable to effect a denial of service attack. 3. Solution === There are two alternatives, either of them by itself is sufficient: a. Apply the patch found in section B of this announcement to fetchmail 6.3.8, recompile and reinstall it. b. Install fetchmail 6.3.9 or newer after it will have become available. The fetchmail source code is always available from http://developer.berlios.de/project/showfiles.php?group_id=1824. 4. Workaround = Run fetchmail at low verbosity, avoid using two or three -v arguments; internal messages are short and do not contain external message sources so they do not cause buffer resizing. It is recommended to replace the vulnerable code by a fixed version (see previous section 3. Solution) as soon as reasonably possible. A. Copyright, License and Warranty == (C) Copyright 2008 by Matthias Andree, [EMAIL PROTECTED]. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. B. Patch to remedy the problem == Note that when taking this from a GnuPG clearsigned file, the lines starting with a - character are prefixed by another - (dash + blank) combination. Either feed this file through GnuPG to strip them, or strip them manually. Whitespace differences can usually be ignored by invoking patch -l, so try this if the patch does not apply. diff --git a/report.c b/report.c index 31d4e48..320e60b 100644 - --- a/report.c +++ b/report.c @@ -238,11 +238,17
fetchmail security announcement fetchmail-SA-2007-02 (CVE-2007-4565)
fetchmail-SA-2007-02: Crash when a local warning message is rejected Topics: Crash when a fetchmail-generated warning message is rejected Author: Matthias Andree Version:1.1 Announced: 2007-08-28 Type: NULL pointer dereference trigged by outside circumstances Impact: denial of service possible Danger: low CVSS V2 vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:?/RL:O/RC:C) Credits:Earl Chew CVE Name: CVE-2007-4565 URL:http://www.fetchmail.info/fetchmail-SA-2007-02.txt Project URL:http://www.fetchmail.info/ Affects:fetchmail release 6.3.9 exclusively Not affected: fetchmail release 6.3.9 and newer fetchmail releases 4.6.8 exclusively Corrected: 2007-07-29 fetchmail SVN (rev 5119) 0. Release history == 2007-07-29 1.0 first draft for MITRE/CVE (visible in SVN) 2007-08-28 1.1 reworked, added fix, official release 1. Background = fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named fetchmailconf to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact = fetchmail will generate warning messages in certain circumstances and send them to the local postmaster or the user starting it. Such warning messages can be generated, for instance, if logging into an upstream server fails repeatedly or if messages beyond the size limit (if configured, default: no limit) are left on the server. If this warning message is then refused by the SMTP listener that fetchmail is forwarding the message to, fetchmail attempts to dereference a NULL pointer when trying to find out if it should allow a bounce message to be sent. This causes fetchmail to crash and not collect further messages until it is restarted. Risk assessment: low. In default configuration, fetchmail will talk through the loopback interface, that means to the SMTP server on the same computer as it is running on. Otherwise, it will commonly be configured to talk to trusted SMTP servers, so a compromise or misconfiguration of a trusted or the same computer is required to exploit this problem - which usually opens up much easier ways of denying service, or worse. 3. Solution === There are two alternatives, either of them by itself is sufficient: a. Apply the patch found in section B of this announcement to fetchmail 6.3.8, recompile and reinstall it. b. Install fetchmail 6.3.9 or newer when it becomes available. The fetchmail source code is available from http://developer.berlios.de/project/showfiles.php?group_id=1824. Note there are no workarounds presented here since all known workarounds are more intrusive than the actual solution. A. Copyright, License and Warranty == (C) Copyright 2007 by Matthias Andree, [EMAIL PROTECTED]. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. B. Patch to remedy the problem == Index: sink.c === --- sink.c (revision 5118) +++ sink.c (revision 5119) @@ -262,7 +262,7 @@ const char *md1 = MAILER-DAEMON, *md2 = MAILER-DAEMON@; /* don't bounce in reply to undeliverable bounces */ -if (!msg-return_path[0] || +if (!msg || !msg-return_path[0] || strcmp(msg-return_path, ) == 0 || strcasecmp(msg-return_path, md1) == 0 || strncasecmp(msg-return_path, md2, strlen(md2)) == 0) END OF fetchmail-SA-2007-02.txt
fetchmail security announcement fetchmail-SA-2005-03 (CVE-2005-4348)
fetchmail-SA-2005-03: security announcement Topics: #1 crash retrieving headerless message in multidrop mode #2 fetchmail 6.2.5.X end of life Author: Matthias Andree Version:1.00 Announced: 2005-12-19 Type: null pointer dereference Impact: fetchmail crashes Danger: low Credits:Daniel Drake, Gentoo (bug report) Sunil Shetye (bug fix) CVE Name: CVE-2005-4348 URL:http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt http://article.gmane.org/gmane.mail.fetchmail.user/7573 http://bugs.debian.org/343836 Project URL:http://fetchmail.berlios.de/ Affects:fetchmail version 6.2.5.4 fetchmail version 6.3.0 Not affected: fetchmail 6.3.1 fetchmail 6.2.5.5 other versions not mentioned here or in the previous sections have not been checked Corrected: 2005-12-19 - released fetchmail 6.3.1 2005-12-18 - released fetchmail 6.3.1-rc1 2005-12-19 - released fetchmail 6.2.5.5 0. Release history == 2005-12-19 1.00 - initial version 1. Background = fetchmail is a software package to retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail ships with a graphical, Python/Tkinter based configuration utility named fetchmailconf to help the user create configuration (run control) files for fetchmail. 2. Problem description and Impact = Fetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as previously fetched, it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients. Note that such messages are not RFC-822 conformant, so if the server has not been tampered with, the server software is faulty. 3. Workaround = Where possible, singledrop mode may be an alternative. For sites, where multidrop mode is required, no workaround is known. 4. Solution === Download and install fetchmail 6.3.1 or a newer stable release from fetchmail's project site at http://developer.berlios.de/project/showfiles.php?group_id=1824. The fix has also been backported to the 6.2.5.5 legacy release which is available from the same site. Note however that 6.3.X has very few incompatible changes since 6.2.5.X so 6.3.X should be viable for most sites. It is therefore recommended that every user and distributor upgrade to 6.3.1 or newer. 5. End of life announcement === The fetchmail 6.2.5.X branch will be discontinued early in 2006. The new 6.3.X stable branch has been available since 2005-11-30 and will not change except for bugfixes, documentation and translations. A. Copyright, License and Warranty == (C) Copyright 2005 by Matthias Andree, [EMAIL PROTECTED]. Some rights reserved. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs German License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ or send a letter to Creative Commons; 559 Nathan Abbott Way; Stanford, California 94305; USA. THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2005-03.txt
