diff options
Diffstat (limited to 'website')
| -rw-r--r-- | website/.htaccess | 1 | ||||
| l---------[-rw-r--r--] | website/fetchmail-SA-2021-01.txt | 120 | ||||
| l--------- | website/fetchmail-SA-2021-02.txt | 1 | ||||
| -rwxr-xr-x | website/host-scripts/upload-website.sh | 2 | ||||
| -rw-r--r-- | website/index.html | 63 | ||||
| -rw-r--r-- | website/multidrop.de.html | 76 | ||||
| -rw-r--r-- | website/multidrop.html | 2 | ||||
| -rw-r--r-- | website/security.html | 41 |
8 files changed, 109 insertions, 197 deletions
diff --git a/website/.htaccess b/website/.htaccess new file mode 100644 index 00000000..413d6e1e --- /dev/null +++ b/website/.htaccess @@ -0,0 +1 @@ +AddCharset UTF-8 .txt diff --git a/website/fetchmail-SA-2021-01.txt b/website/fetchmail-SA-2021-01.txt index 5f2563be..edf55708 100644..120000 --- a/website/fetchmail-SA-2021-01.txt +++ b/website/fetchmail-SA-2021-01.txt @@ -1,119 +1 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 - -fetchmail-SA-2021-01: DoS or information disclosure logging long messages - -Topics: fetchmail denial of service or information disclosure when logging long messages - -Author: Matthias Andree -Version: 1.1 -Announced: 2021-07-28 -Type: missing variable initialization can cause read from bad memory - locations -Impact: fetchmail logs random information, or segfaults and aborts, - stalling inbound mail -Danger: low -Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany - for analysis and report and a patch suggestion - -CVE Name: CVE-2021-36386 -URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt -Project URL: https://www.fetchmail.info/ - -Affects: - fetchmail releases up to and including 6.4.19 - -Not affected: - fetchmail releases 6.4.20 and newer - -Corrected in: c546c829 Git commit hash - - 2021-07-28 fetchmail 6.4.20 release tarball - - -0. Release history -================== - -2021-07-07 initial report to maintainer -2021-07-28 1.0 release -2021-07-28 1.1 update Git commit hash with correction - - -1. Background -============= - -fetchmail is a software package to retrieve mail from remote POP3, IMAP, -ETRN or ODMR servers and forward it to local SMTP, LMTP servers or -message delivery agents. fetchmail supports SSL and TLS security layers -through the OpenSSL library, if enabled at compile time and if also -enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as -well as in-band-negotiated "STARTTLS" and "STLS" modes through the -regular protocol ports. - - -2. Problem description and Impact -================================= - -Fetchmail has long had support to assemble log/error messages that are -generated piecemeal, and takes care to reallocate the output buffer as needed. -In the reallocation case, i. e. when long log messages are assembled that can -stem from very long headers, and on systems that have a varargs.h/stdarg.h -interface (all modern systems), fetchmail's code would fail to reinitialize -the va_list argument to vsnprintf. - -The exact effects depend on the verbose mode (how many -v are given) of -fetchmail, computer architecture, compiler, operating system and -configuration. On some systems, the code just works without ill effects, some -systems log a garbage message (potentially disclosing sensitive information), -some systems log literally "(null)", some systems trigger SIGSEGV (signal -#11), which crashes fetchmail, causing a denial of service on fetchmail's end. - - -3. Solution -=========== - -Install fetchmail 6.4.20 or newer. - -The fetchmail source code is available from -<https://sourceforge.net/projects/fetchmail/files/>. - -Distributors are encouraged to review the NEWS file and move forward to -6.4.20, rather than backport individual security fixes, because doing so -routinely misses other fixes crucial to fetchmail's proper operation, -for which no security announcements are issued, or documentation, -or translation updates. - -Fetchmail 6.4.X releases have been made with a focus on unchanged user and -program interfaces so as to avoid disruptions when upgrading from 6.3.Z or -6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface -incompatibly. - - -A. Copyright, License and Non-Warranty -====================================== - -(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>. -Some rights reserved. - -fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC -BY-ND 4.0. To view a copy of this license, visit -http://creativecommons.org/licenses/by-nd/4.0/ - -THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. -Use the information herein at your own risk. - -END of fetchmail-SA-2021-01 ------BEGIN PGP SIGNATURE----- - -iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmEBxbQACgkQ5BKxVu/z -hVoESA/+JKX4wAG0v1+4+7yG8SsmWfWORnUzKLTVcjAu5osdQ1DamFgDEMqSd/ft -JswQdzMJfGSngKG+VgXPEu3l9jHyVWDwTWM7aKIo6VsRtJ6yBmBBQBQF5TSUARr7 -55Wm+GqNOQj4fp4xDvcswiMAbgpDZhtJEtWZhv96Uz6F+gjZ6qdufAYQlrPcH8AK -ByJTs9Alc9LqOgP0touXz+CMkJFjizsFBiB5YzrHjVlryojvVmrF858nt1AgeUFC -h8mWd9Y7qsJ+7OeF2BN5qre10LlJnEO3rZPz5OWcOYKCCuGka9nne9LjaouKLnY9 -8Yn4CqRMNhyj+5fXzNiXohJmjn2vZ/dgd/0mwNo5zyeC4z6J9KQuDS+/StGAyvLR -fHppSu8SNctw0EiEephZcDGd/rI6MzpfTwP7b1fy/TD3YcezMPNRRTTH2AxidbXh -/rSMVKWJ0tAucoEX3pR+6CVY8Eb0VZ09+iSqCmWe6Wsb9KN71K60FGVpnEq8BNWc -aRqk0JXugPxuiJIXQLIP8AnxMW/XJoJNDs37OkfFhNkkhRDjT7pmu7l+9eIIYiTI -cxpECB53pd6xlJb08KixDa2hu2UqjmfRe0KA//HaiUJy7RyGkxRbZ1GnMJHrCHCR -/YYyOJbe6yTMnWVI6Auva8WJNuHSZvdvKasAenDAHZy96mUj8FE= -=1rxO ------END PGP SIGNATURE----- +../fetchmail-SA-2021-01.txt
\ No newline at end of file diff --git a/website/fetchmail-SA-2021-02.txt b/website/fetchmail-SA-2021-02.txt new file mode 120000 index 00000000..fa6f0b4f --- /dev/null +++ b/website/fetchmail-SA-2021-02.txt @@ -0,0 +1 @@ +../fetchmail-SA-2021-02.txt
\ No newline at end of file diff --git a/website/host-scripts/upload-website.sh b/website/host-scripts/upload-website.sh index aeee1755..56dad034 100755 --- a/website/host-scripts/upload-website.sh +++ b/website/host-scripts/upload-website.sh @@ -29,7 +29,7 @@ rsync \ --copy-links --times --checksum --verbose \ --exclude host-scripts \ --exclude .git --exclude '*~' --exclude '#*#' \ - * \ + * .htaccess \ "${SOURCEFORGE_LOGIN},fetchmail@web.sourceforge.net:htdocs/" & pids="$pids $!" diff --git a/website/index.html b/website/index.html index 8474b8f7..91c02eda 100644 --- a/website/index.html +++ b/website/index.html @@ -1,5 +1,4 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <link rel="stylesheet" href="sitestyle.css" type="text/css"> @@ -15,7 +14,7 @@ <table width="100%" cellpadding="0" summary="Canned page header"> <tr> <td>Fetchmail</td> -<td align="right"><!-- update date -->2021-08-03</td> +<td align="right"><!-- update date -->2024-01-31</td> </tr> </table> </div> @@ -43,21 +42,47 @@ <h1>Fetchmail</h1> <div style="background-color:#c0ffc0;color:#000000;"> - <h1>NEWS: FETCHMAIL 6.5.0-beta4 release</h1> - <p>On 2021-08-03, <a + <h1>NEWS: FETCHMAIL 6.4.38 RELEASE</h1> + <p>On 2024-01-31, <a + href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail + 6.4.38 has been released.</a> It updates translations, and tightens OpenSSL/wolfSSL version requirements in order to track their security fixes and deprecations. + <p>OpenSSL 3.0.9, 3.1.4, 3.2.0 and wolfSSL 5.6.2 (or newer on the respective + compatible branches) remain supported.</p> + <p>6.4.37 updated translations.</p> + <p>6.4.36 updated translations.</p> + <p>6.4.35 updated translations and bumped SSL/TLS library version requirements.</p> + <p>6.4.34 fixed a critical softbounce bug (courtesy of Horváth Zsolt) and updates translations. + <p>6.4.33 updated translations.</p> + <p>6.4.32 updated translations and finds both rst2html5 with and without .py suffix when rebuilding the distribution.</p> + <p>6.4.31 updated the configure script for --with-ssl properly identifying the right + OpenSSL on a system with multiple OpenSSL versions installed, and updates the + manual page and its HTML conversion process, and adds some error checking to the .netrc parser.</p> + <p>6.4.30 updated the Romanian translation (courtesy of Remus-Gabriel + Chelu).</p> + <p>6.4.29 updated the Vietnamese translation (courtesy of Trần Ngọc Quân).</p> + <p>6.4.28 updated the Spanish translation (courtesy of Cristian Othón Martínez + Vera) and added a fix to the manual page (courtesy of Jeremy Petch).</p> + <p>6.4.26 added a wolfSSL compatibility workaround and updated the Serbian translation (courtesy of Miroslav Nikolić).</p> + <p>6.4.25 (released 2021-12-10) updated translations and the manual page and several other documentation + files, adds preliminary wolfSSL 5.0 support on systems that provide a C99 + compiler, fixed up a specific fix for a compatibility issue + with the end-of-life OpenSSL 1.0.2 around the expiry of the DST Root CA X3 + certificate which impairs connectivity to Let's-Encrypt-certified sites. + Supported OpenSSL versions 1.1.1 and newer are unaffected.</p> + <p>Note that you should use a supported OpenSSL version, currently 1.1.1 or + 3.0. wolfSSL 5.0 support is currently considered experimental.</p> + <p>Also note that OpenSSL's licensing changed between 1.1.1 and 3.0.0, the + latter now uses the Apache License 2.0. See the file COPYING for + details.</p> + <h1>NEWS: FETCHMAIL 6.5.0.beta9 release</h1> + <p>On 2023-01-06, <a href="https://sourceforge.net/projects/fetchmail/files/branch_6.5/">fetchmail - 6.5.0.beta4 has been released (click this link to download, or to see recent changes).</a> - It fixes the security bug CVE-2021-36386 also fixed in 6.4.20.</p> - <h1>NEWS: FETCHMAIL 6.4.20 RELEASE</h1> - <p>On 2021-07-28, <a - href="https://sourceforge.net/projects/fetchmail/files/branch_6.4/">fetchmail - 6.4.20 has been released (click this link to download, or to see recent changes).</a> - It fixes security bug CVE-2021-36386, see the link under <a href="#security-alerts">SECURITY ALERTS</a> below for details. - </p> - <p>Note that you should use OpenSSL 1.1.1 or newer to compile. - OpenSSL 1.0.2 has been in end-of-life status since Late 2019.</p> - <p>Note also that fetchmail 6.3.x versions are discontinued and no longer - supported (the youngest 6.3.26 was released in 2013).</p> + 6.5.0.beta9 has been released (click this link to download, or to see recent changes).</a> + It brings the 6.5.0 betas back in line with 6.4.35, and has a few changes + of its own, including C++17 compatibility, a new IMAP-only --moveto option + to preserve seen message in a separate folder, and fixes Received: lines for time zones + that have sub-minute offsets (usually TAI-based timezones).<br> + Note that lzip as compression is discontinued, fetchmail ships as .tar.xz.</p> </div> <div style="background-color:#ffe0c0;color:#000000;font-size:85%"> @@ -225,8 +250,8 @@ competition. <p><a href="https://sourceforge.net/projects/getlive/">GetLive</a>, a successor to the discontinued Gotmail. (Gotmail was a script to fetch mail from Hotmail, -written by Peter Hawkins, see <a -href="http://linux.cudeso.be/linuxdoc/gotmail.php">gotmail</a>.)</p> +written by Peter Hawkins, which used to live at the now defunct +http://linux.cudeso.be/linuxdoc/gotmail.php)</p> <p>There's a program called <a href="http://mailfilter.sourceforge.net/">mailfilter</a> which can be used diff --git a/website/multidrop.de.html b/website/multidrop.de.html index e132a9d7..c727c051 100644 --- a/website/multidrop.de.html +++ b/website/multidrop.de.html @@ -6,10 +6,10 @@ <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 1st April 2002), see www.w3.org"> - <title>Voraussetzungen fr funktionierendes Multidrop</title> + <title>Voraussetzungen für funktionierendes Multidrop</title> <meta name="author" content="Matthias Andree"> <meta http-equiv="Content-Type" content= - "text/html;charset=iso-8859-15"> + "text/html;charset=utf-8"> <link rev="made" href="mailto:matthias.andree@gmx.de"> <style type="text/css"> <!-- @@ -23,7 +23,7 @@ <body> <a href="multidrop.html">Link to English-language version/Link zur englischen Sprachfassung</a> - <h1>Voraussetzungen fr funktionierendes Multidrop</h1> + <h1>Voraussetzungen für funktionierendes Multidrop</h1> <address> <a href="mailto:matthias.andree@gmx.de">Matthias Andree</a> 2003-10-12 @@ -32,42 +32,42 @@ <h2>Einleitung</h2> <p>Viele Provider bieten ihren Kunden ein POP3-Multidrop oder - "domain-in-a-mailbox"-Schema an, um fr mehrere Empfnger in + "domain-in-a-mailbox"-Schema an, um für mehrere Empfänger in einer Domain die Mail "in einem Rutsch" abholen zu lassen.</p> <p>Oft genug geht so ein Unterfangen dann bei der Mailabholung - schief, die Ursachen und Abhilfen dafr sollen hier nher + schief, die Ursachen und Abhilfen dafür sollen hier näher betrachtet werden.</p> <h2>Eingangsbetrachtungen</h2> - <p>POP3, das Post-Office-Protokoll Version 3, war ursprnglich - dazu gedacht, Mail fr einen einzelnen Benutzer zu - transportieren. Es erhlt den sogenannten Umschlag - ("Envelope"), der die tatschlichen Empfnger und Absender + <p>POP3, das Post-Office-Protokoll Version 3, war ursprünglich + dazu gedacht, Mail für einen einzelnen Benutzer zu + transportieren. Es erhält den sogenannten Umschlag + ("Envelope"), der die tatsächlichen Empfänger und Absender angibt, nicht.</p> <p>Nun wird oft der Absender im Header "Return-Path" - hinterlegt, bezglich des Empfngers kocht sich jeder - Programmierer eines Mailservers seine eigene Suppe. Gngig sind + hinterlegt, bezüglich des Empfängers kocht sich jeder + Programmierer eines Mailservers seine eigene Suppe. Gängig sind "gar nichts" (sendmail), "Delivered-To:" (qmail, evtl. mit - einem Prfix, Postfix), "X-Envelope-To:" (bestimmte + einem Präfix, Postfix), "X-Envelope-To:" (bestimmte procmail-Setups) und "X-Original-To:" (neuere Postfix-Versionen - zustzlich zum Delivered-To:).</p> + zusätzlich zum Delivered-To:).</p> <p><strong>Wichtige Hintergrundinformation:</strong> Die - Mail-HEADER wie To:, Cc:, Bcc: sind fr die Zustellung der Mail - NICHT RELEVANT. Die Mailzustellung erfolgt ausschlielich + Mail-HEADER wie To:, Cc:, Bcc: sind für die Zustellung der Mail + NICHT RELEVANT. Die Mailzustellung erfolgt ausschließlich anhand des UMSCHLAGS, wie bei der Sackpost auch!</p> - <p>Es ist zwar hufig so, dass der Umschlag bei der ersten + <p>Es ist zwar häufig so, dass der Umschlag bei der ersten Einlieferung der Mail aus den Headern erzeugt wird, doch NUR - DER UMSCHLAG trgt, im Gegensatz zum HEADER (Briefkopf), die - vollstndige Information:</p> + DER UMSCHLAG trägt, im Gegensatz zum HEADER (Briefkopf), die + vollständige Information:</p> <ul> <li>Bcc: wird bei erster Gelegenheit entfernt, er soll ja - beim Empfnger nicht mehr sichtbar sein</li> + beim Empfänger nicht mehr sichtbar sein</li> <li>To: und Cc: werden bei Mailweiterleitungen nicht an das Ziel angepasst</li> @@ -77,20 +77,20 @@ Liste bestellt hat</li> </ul> - <p>Der Umstand, mehrere Empfnger in einer Mailbox zu - vereinigen, erfordert nun, dass der tatschliche Empfnger der + <p>Der Umstand, mehrere Empfänger in einer Mailbox zu + vereinigen, erfordert nun, dass der tatsächliche Empfänger der Mail hinterlegt wird, damit die Mail richtig zugestellt werden - kann. POP3 trifft hierfr keine Vorkehrungen, daher mssen sie - auerhalb des Protokolls eingerichtet werden. Es bietet sich - hierfr der Mailheader an.</p> + kann. POP3 trifft hierfür keine Vorkehrungen, daher müssen sie + außerhalb des Protokolls eingerichtet werden. Es bietet sich + hierfür der Mailheader an.</p> <h2>Voraussetzungen</h2> <p>Unter bestimmten Voraussetzungen kann POP3-Multidrop dennoch - zuverlssig funktionieren. Diese sind:</p> + zuverlässig funktionieren. Diese sind:</p> <ol> - <li>Der Provider MUSS fr jeden Empfnger der eigenen Domain + <li>Der Provider MUSS für jeden Empfänger der eigenen Domain eine Kopie der Mail in die Mailbox werfen.</li> <li>Der Provider MUSS in JEDER Mail den sogenannten "Envelope @@ -101,7 +101,7 @@ <li>Der POP3-Client (Mercury/32, fetchmail, getmail, ...) MUSS den Header, in dem der "Envelope Recipient" hinterlegt - ist, zuverlssig erkennen und ausschlielich anhand seiner + ist, zuverlässig erkennen und ausschließlich anhand seiner die Mail zustellen.</li> <li><strong>Der POP3-Client DARF KEINESFALLS die To: oder @@ -112,32 +112,32 @@ vertretbar).</strong></li> </ol> - <h2>Erklrungen</h2> + <h2>Erklärungen</h2> <dl> <dt>Ad 1:</dt> - <dd>Ist diese Voraussetzung nicht erfllt, werden bei Mails, - die an mehrere Empfnger der eigenen Domain gehen, einige - Empfnger die Mail nicht bekommen.</dd> + <dd>Ist diese Voraussetzung nicht erfüllt, werden bei Mails, + die an mehrere Empfänger der eigenen Domain gehen, einige + Empfänger die Mail nicht bekommen.</dd> <dt>Ad 2:</dt> <dd> - Ist diese Voraussetzung nicht erfllt, kommt es zu + Ist diese Voraussetzung nicht erfüllt, kommt es zu Fehlzustellungen. Der Versuch, die Information aus den - Mailheadern selbst (To:, Cc:) zu entnehmen, ist gefhrlich - und unzuverlssig: + Mailheadern selbst (To:, Cc:) zu entnehmen, ist gefährlich + und unzuverlässig: <ul> - <li>Einerseits kann Mail an Mailinglisten zurckgeschickt + <li>Einerseits kann Mail an Mailinglisten zurückgeschickt werden, deren Adresse oft im To:- oder Cc:-Header steht, - was eine Mailschleife auslst, die unbedingt vermieden + was eine Mailschleife auslöst, die unbedingt vermieden werden muss (weil sie Kosten verursacht)</li> - <li>andererseits ist die Regenerierung von Empfngern, + <li>andererseits ist die Regenerierung von Empfängern, die beim Absender im "Bcc:"-Header eingetragen waren, - nicht mglich, da der Bcc:-Header beim Transport entfernt + nicht möglich, da der Bcc:-Header beim Transport entfernt werden muss, wie der Name "Blind Carbon Copy" schon andeutet.</li> </ul> diff --git a/website/multidrop.html b/website/multidrop.html index 2de3efc3..aa885ef9 100644 --- a/website/multidrop.html +++ b/website/multidrop.html @@ -9,7 +9,7 @@ <title>Requisites for working multidrop mailboxes</title> <meta name="author" content="Matthias Andree"> <meta http-equiv="Content-Type" content= - "text/html;charset=iso-8859-15"> + "text/html;charset=utf-8"> <link rev="made" href="mailto:matthias.andree@gmx.de"> <style type="text/css"> <!-- diff --git a/website/security.html b/website/security.html index 98129b07..113015b6 100644 --- a/website/security.html +++ b/website/security.html @@ -27,10 +27,10 @@ <a href="fetchmail-FAQ.html" title="Fetchmail FAQ">FAQ</a><br> <a href="fetchmail-FAQ.pdf" title="Fetchmail FAQ as PDF">FAQ (PDF)</a><br> <a href="design-notes.html">Design Notes</a><br> - <a href="http://sourceforge.net/projects/fetchmail/files/">Download</a><br> + <a href="https://sourceforge.net/projects/fetchmail/files/">Download</a><br> Security/Errata<br> <a href="https://gitlab.com/fetchmail/fetchmail/">Development</a><br> - <a href="http://sourceforge.net/projects/fetchmail/">Project Page</a><br> + <a href="https://sourceforge.net/projects/fetchmail/">Project Page</a><br> <hr> </div> @@ -49,25 +49,28 @@ <li><a name="cve-2012-3482" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3482">CVE-2012-3482:</a> --> + <li><a name="cve-2021-39272" + href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39272">CVE-2021-39272:</a> + Fetchmail would <a href="fetchmail-SA-2021-02.txt">fail to negotiate a TLS encrypted session in some circumstances, continuing a clear-text connection.</a></li> <li><a name="cve-2021-36386" - href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a> + href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386:</a> Fetchmail could <a href="fetchmail-SA-2021-01.txt">log possibly sensitive data or garbage, or crash, when logging information longer than 2 kB, on some systems.</a></li> <li><a name="cve-2012-3482" - href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a> + href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482:</a> Fetchmail could <a href="fetchmail-SA-2012-02.txt">crash and possibly reveal fragments of confidential data</a> during NTLM authentication.</li> <li><a name="cve-2011-3389" - href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389">CVE-2011-3389:</a> + href="https://nvd.nist.gov/vuln/detail/CVE-2011-3389">CVE-2011-3389:</a> <a href="fetchmail-SA-2012-01.txt">Fetchmail was vulnerable to chosen-plaintext attacks against cipher block chaining initialization vectors because it disabled an OpenSSL countermeasure against this attack.</a> </li> <li><a name="cve-2011-1947" - href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1947">CVE-2011-1947:</a> + href="https://nvd.nist.gov/vuln/detail/CVE-2011-1947">CVE-2011-1947:</a> Fetchmail <a href="fetchmail-SA-2011-01.txt"> could hang for indefinite amounts of time during STARTTLS negotiations</a>, causing mail fetches to stall. This was a long-standing bug @@ -77,7 +80,7 @@ properly.</a> This was a long-standing bug fixed in release 6.3.18.</li> <li><a name="cve-2010-1167" - href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1167">CVE-2010-1167:</a> + href="https://nvd.nist.gov/vuln/detail/CVE-2010-1167">CVE-2010-1167:</a> Fetchmail <a href="fetchmail-SA-2010-02.txt">could exhaust all available memory and abort on certain computers (for instance Linux) in multibyte locales (for instance UTF-8) @@ -85,21 +88,21 @@ This bug was introduced long before 6.0.0 and has been fixed in release 6.3.17.</li> <li><a name="cve-2010-0562" - href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li> - <li><a name="cve-2009-2666" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li> - <li><a name="cve-2008-2711" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li> - <li><a name="cve-2007-4565" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li> - <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li> + href="https://nvd.nist.gov/vuln/detail/CVE-2010-0562">CVE-2010-0562:</a> Fetchmail <a href="fetchmail-SA-2010-01.txt">would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type.</a> This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.</li> + <li><a name="cve-2009-2666" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2666">CVE-2009-2666:</a> Fetchmail <a href="fetchmail-SA-2009-01.txt">was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected.</a> This bug has been fixed in release 6.3.11. For previous versions, use the <a href="fetchmail-SA-2009-01.txt">patch contained in the security announcement.</a></li> + <li><a name="cve-2008-2711" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2711">CVE-2008-2711:</a> Fetchmail can <a href="fetchmail-SA-2008-01.txt">crash in verbose mode when logging long message headers.</a> This bug has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2008-01.txt">patch contained in the security announcement.</a></li> + <li><a name="cve-2007-4565" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4565">CVE-2007-4565:</a> Fetchmail can <a href="fetchmail-SA-2007-02.txt">crash when the SMTP server refuses a warning message generated by fetchmail.</a> This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the <a href="fetchmail-SA-2007-02.txt">patch contained in this security announcement.</a></li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558">CVE-2007-1558:</a> Fetchmail's APOP client was found to <a href="fetchmail-SA-2007-01.txt">validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be.</a> This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.</li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5974">CVE-2006-5974:</a> Fetchmail was found to <a href="fetchmail-SA-2006-03.txt">crash when refusing a message that was bound to be delivered by an MDA.</a> This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.</li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5867">CVE-2006-5867:</a> Fetchmail was found to <a href="fetchmail-SA-2006-02.txt">omit TLS or send the password in clear text despite the configuration stating otherwise.</a> This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.</li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321">CVE-2006-0321:</a> Fetchmail was found to <a href="fetchmail-SA-2006-01.txt">crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.</a></li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348">CVE-2005-4348:</a> Fetchmail was found to contain <a href="fetchmail-SA-2005-03.txt">a bug (null pointer dereference) that can be exploited to a denial of service attack</a> when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.</li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088">CVE-2005-3088:</a> Fetchmailconf was found to <a href="fetchmail-SA-2005-02.txt">open the configuration files world-readable, writing data to them, and only then tightening up permissions</a>, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.</li> + <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2335">CVE-2005-2335:</a> Fetchmail was found to contain a <a href="fetchmail-SA-2005-01.txt">remotely exploitable code injection vulnerability (potentially privileged code)</a> in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)</li> </ul> <p style="font-size:100%"><strong>Please <a - href="http://sourceforge.net/projects/fetchmail/files/">update + href="https://sourceforge.net/projects/fetchmail/files/">update to the newest fetchmail version</a>.</strong></p> </div> </body> |