aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2021-08-27 00:17:28 +0200
committerMatthias Andree <matthias.andree@gmx.de>2021-08-27 00:17:28 +0200
commit44431fed03e02e618d4b82c729822c605fbcb5d6 (patch)
tree7ce3da015f3a519bfe0fa078e193ade4bc353a33
parent4b736f0a6b9b72b72c026ba21e164d275468f25a (diff)
downloadfetchmail-44431fed03e02e618d4b82c729822c605fbcb5d6.tar.gz
fetchmail-44431fed03e02e618d4b82c729822c605fbcb5d6.tar.bz2
fetchmail-44431fed03e02e618d4b82c729822c605fbcb5d6.zip
get ready for 6.4.22.rc1.
Diffstat
l---------website/fetchmail-SA-2021-02.txt1
-rw-r--r--website/index.html10
-rw-r--r--website/security.html41
3 files changed, 32 insertions, 20 deletions
diff --git a/website/fetchmail-SA-2021-02.txt b/website/fetchmail-SA-2021-02.txt
new file mode 120000
index 00000000..fa6f0b4f
--- /dev/null
+++ b/website/fetchmail-SA-2021-02.txt
@@ -0,0 +1 @@
+../fetchmail-SA-2021-02.txt \ No newline at end of file
diff --git a/website/index.html b/website/index.html
index 8c69a5f5..bf7d9d61 100644
--- a/website/index.html
+++ b/website/index.html
@@ -15,7 +15,7 @@
<table width="100%" cellpadding="0" summary="Canned page header">
<tr>
<td>Fetchmail</td>
-<td align="right"><!-- update date -->2021-08-09</td>
+<td align="right"><!-- update date -->2021-08-26</td>
</tr>
</table>
</div>
@@ -43,6 +43,14 @@
<h1>Fetchmail</h1>
<div style="background-color:#c0ffc0;color:#000000;">
+ <h1>NEWS: FETCHMAIL 6.4.22.rc1 RELEASE CANDIDATE</h1>
+ <p>On 2021-08-26, <a
+ href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail
+ 6.4.22.rc1 has been released (click this link to download, or to see recent changes).</a>
+ It fixes STARTTLS and other protocol-based vulnerabilities,
+ CVE-2021-39272, see the link under <a href="#security-alerts">SECURITY
+ ALERTS</a> for details.
+ </p>
<h1>NEWS: FETCHMAIL 6.4.21 RELEASE</h1>
<p>On 2021-08-09, <a
href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail
diff --git a/website/security.html b/website/security.html
index 98129b07..113015b6 100644
--- a/website/security.html
+++ b/website/security.html
@@ -27,10 +27,10 @@
<a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br>
<a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br>
<a href="design-notes.html">Design Notes</a><br>
- <a href="http://sourceforge.net/projects/fetchmail/files/">Download</a><br>
+ <a href="https://sourceforge.net/projects/fetchmail/files/">Download</a><br>
Security/Errata<br>
<a href="https://gitlab.com/fetchmail/fetchmail/">Development</a><br>
- <a href="http://sourceforge.net/projects/fetchmail/">Project Page</a><br>
+ <a href="https://sourceforge.net/projects/fetchmail/">Project Page</a><br>
<hr>
</div>
@@ -49,25 +49,28 @@
<li><a name="cve-2012-3482"
href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a>
-->
+ <li><a name="cve-2021-39272"
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39272">CVE-2021-39272:</a>
+ Fetchmail would <a href="fetchmail-SA-2021-02.txt">fail to negotiate a TLS encrypted session in some circumstances, continuing a clear-text connection.</a></li>
<li><a name="cve-2021-36386"
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a>
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a>
Fetchmail could <a href="fetchmail-SA-2021-01.txt">log possibly
sensitive data or garbage, or crash, when logging information longer
than 2 kB, on some systems.</a></li>
<li><a name="cve-2012-3482"
- href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a>
+ href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a>
Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and
possibly reveal fragments of confidential data</a> during
NTLM authentication.</li>
<li><a name="cve-2011-3389"
- href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389">CVE-2011-3389:</a>
+ href="https://nvd.nist.gov/vuln/detail/CVE-2011-3389">CVE-2011-3389:</a>
<a href="fetchmail-SA-2012-01.txt">Fetchmail was vulnerable
to chosen-plaintext attacks against cipher block
chaining initialization vectors because it disabled an
OpenSSL countermeasure against this attack.</a>
</li>
<li><a name="cve-2011-1947"
- href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1947">CVE-2011-1947:</a>
+ href="https://nvd.nist.gov/vuln/detail/CVE-2011-1947">CVE-2011-1947:</a>
Fetchmail <a href="fetchmail-SA-2011-01.txt"> could hang for
indefinite amounts of time during STARTTLS negotiations</a>,
causing mail fetches to stall. This was a long-standing bug
@@ -77,7 +80,7 @@
properly.</a> This was a long-standing bug fixed in release
6.3.18.</li>
<li><a name="cve-2010-1167"
- href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1167">CVE-2010-1167:</a>
+ href="https://nvd.nist.gov/vuln/detail/CVE-2010-1167">CVE-2010-1167:</a>
Fetchmail <a href="fetchmail-SA-2010-02.txt">could exhaust all
available memory and abort on certain computers (for
instance Linux) in multibyte locales (for instance UTF-8)
@@ -85,21 +88,21 @@
This bug was introduced long before 6.0.0 and has been fixed in
release 6.3.17.</li>
<li><a name="cve-2010-0562"
- href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li>
- <li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li>
- <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
- <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
- <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
+ href="https://nvd.nist.gov/vuln/detail/CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li>
+ <li><a name="cve-2009-2666" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li>
+ <li><a name="cve-2008-2711" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li>
+ <li><a name="cve-2007-4565" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li>
+ <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li>
</ul>
<p style="font-size:100%"><strong>Please <a
- href="http://sourceforge.net/projects/fetchmail/files/">update
+ href="https://sourceforge.net/projects/fetchmail/files/">update
to the newest fetchmail version</a>.</strong></p>
</div>
</body>
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 14:24:48 +0000