From 44431fed03e02e618d4b82c729822c605fbcb5d6 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 27 Aug 2021 00:17:28 +0200 Subject: get ready for 6.4.22.rc1. --- website/fetchmail-SA-2021-02.txt | 1 + website/index.html | 10 +++++++++- website/security.html | 41 +++++++++++++++++++++------------------- 3 files changed, 32 insertions(+), 20 deletions(-) create mode 120000 website/fetchmail-SA-2021-02.txt (limited to 'website') diff --git a/website/fetchmail-SA-2021-02.txt b/website/fetchmail-SA-2021-02.txt new file mode 120000 index 00000000..fa6f0b4f --- /dev/null +++ b/website/fetchmail-SA-2021-02.txt @@ -0,0 +1 @@ +../fetchmail-SA-2021-02.txt \ No newline at end of file diff --git a/website/index.html b/website/index.html index 8c69a5f5..bf7d9d61 100644 --- a/website/index.html +++ b/website/index.html @@ -15,7 +15,7 @@ - +
Fetchmail2021-08-092021-08-26
@@ -43,6 +43,14 @@

Fetchmail

+

NEWS: FETCHMAIL 6.4.22.rc1 RELEASE CANDIDATE

+

On 2021-08-26, fetchmail + 6.4.22.rc1 has been released (click this link to download, or to see recent changes). + It fixes STARTTLS and other protocol-based vulnerabilities, + CVE-2021-39272, see the link under SECURITY + ALERTS for details. +

NEWS: FETCHMAIL 6.4.21 RELEASE

On 2021-08-09, fetchmail diff --git a/website/security.html b/website/security.html index 98129b07..113015b6 100644 --- a/website/security.html +++ b/website/security.html @@ -27,10 +27,10 @@ FAQ
FAQ (PDF)
Design Notes
- Download
+ Download
Security/Errata
Development
- Project Page
+ Project Page


@@ -49,25 +49,28 @@
  • CVE-2012-3482: --> +
  • CVE-2021-39272: + Fetchmail would fail to negotiate a TLS encrypted session in some circumstances, continuing a clear-text connection.
  • CVE-2021-36386: + href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36386">CVE-2021-36386: Fetchmail could log possibly sensitive data or garbage, or crash, when logging information longer than 2 kB, on some systems.
  • CVE-2012-3482: + href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482">CVE-2012-3482: Fetchmail could crash and possibly reveal fragments of confidential data during NTLM authentication.
  • CVE-2011-3389: + href="https://nvd.nist.gov/vuln/detail/CVE-2011-3389">CVE-2011-3389: Fetchmail was vulnerable to chosen-plaintext attacks against cipher block chaining initialization vectors because it disabled an OpenSSL countermeasure against this attack.
  • CVE-2011-1947: + href="https://nvd.nist.gov/vuln/detail/CVE-2011-1947">CVE-2011-1947: Fetchmail could hang for indefinite amounts of time during STARTTLS negotiations, causing mail fetches to stall. This was a long-standing bug @@ -77,7 +80,7 @@ properly. This was a long-standing bug fixed in release 6.3.18.
  • CVE-2010-1167: + href="https://nvd.nist.gov/vuln/detail/CVE-2010-1167">CVE-2010-1167: Fetchmail could exhaust all available memory and abort on certain computers (for instance Linux) in multibyte locales (for instance UTF-8) @@ -85,21 +88,21 @@ This bug was introduced long before 6.0.0 and has been fixed in release 6.3.17.
  • CVE-2010-0562: Fetchmail would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type. This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14.
  • -
  • CVE-2009-2666: Fetchmail was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected. This bug has been fixed in release 6.3.11. For previous versions, use the patch contained in the security announcement.
  • -
  • CVE-2008-2711: Fetchmail can crash in verbose mode when logging long message headers. This bug has been fixed in release 6.3.9. For 6.3.8, use the patch contained in the security announcement.
  • -
  • CVE-2007-4565: Fetchmail can crash when the SMTP server refuses a warning message generated by fetchmail. This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the patch contained in this security announcement.
  • -
  • CVE-2007-1558: Fetchmail's APOP client was found to validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be. This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.
  • -
  • CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.
  • -
  • CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.
  • -
  • CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.
  • -
  • CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.
  • -
  • CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.
  • -
  • CVE-2005-2335: Fetchmail was found to contain a remotely exploitable code injection vulnerability (potentially privileged code) in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)
  • + href="https://nvd.nist.gov/vuln/detail/CVE-2010-0562">CVE-2010-0562: Fetchmail would overrun the heap when displaying X.509 TLS/SSL certificates with characters with high bit set in verbose mode on platforms where char is a signed type. This bug was introduced in release 6.3.11 and has been fixed in release 6.3.14. +
  • CVE-2009-2666: Fetchmail was found to validate SSL/TLS X.509 certificates improperly and allow man-in-the-middle-attacks to go undetected. This bug has been fixed in release 6.3.11. For previous versions, use the patch contained in the security announcement.
  • +
  • CVE-2008-2711: Fetchmail can crash in verbose mode when logging long message headers. This bug has been fixed in release 6.3.9. For 6.3.8, use the patch contained in the security announcement.
  • +
  • CVE-2007-4565: Fetchmail can crash when the SMTP server refuses a warning message generated by fetchmail. This bug was introduced in fetchmail 4.6.8 and has been fixed in release 6.3.9. For 6.3.8, use the patch contained in this security announcement.
  • +
  • CVE-2007-1558: Fetchmail's APOP client was found to validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be. This bug was long-standing, fetchmail 6.3.8 and newer validate the APOP challenge more strictly.
  • +
  • CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.
  • +
  • CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.
  • +
  • CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.
  • +
  • CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.
  • +
  • CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.
  • +
  • CVE-2005-2335: Fetchmail was found to contain a remotely exploitable code injection vulnerability (potentially privileged code) in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)
  • Please update + href="https://sourceforge.net/projects/fetchmail/files/">update to the newest fetchmail version.

    -- cgit v1.2.3