VuXML ID | Description |
5179d85c-8683-11de-91b9-0022157515b2 | fetchmail -- improper SSL certificate subject verification
Matthias Andree reports:
Moxie Marlinspike demonstrated in July 2009 that some CAs would
sign certificates that contain embedded NUL characters in the
Common Name or subjectAltName fields of ITU-T X.509
certificates.
Applications that would treat such X.509 strings as
NUL-terminated C strings (rather than strings that contain an
explicit length field) would only check the part up to and
excluding the NUL character, so that certificate names such as
www.good.example\0www.bad.example.com would be mistaken as a
certificate name for www.good.example. fetchmail also had this
design and implementation flaw.
Discovery 2009-08-06 Entry 2009-08-11 Modified 2009-08-13 fetchmail
< 6.3.11
CVE-2009-2666
http://www.fetchmail.info/fetchmail-SA-2009-01.txt
|
09910d76-4c82-11df-83fb-0015587e2cc1 | fetchmail -- denial of service vulnerability
Fetchmail developer Matthias Andree reported a vulnerability
that allows remote attackers to crash the application
when it is runs in verbose mode.
Fetchmail before release 6.3.17 did not properly
sanitize external input (mail headers and UID). When a
multi-character locale (such as UTF-8) was in use, this
could cause memory exhaustion and thus a denial of
service.
Discovery 2010-04-18 Entry 2010-04-20 fetchmail
ge 4.6.3 le 6.3.16
CVE-2010-1167
ports/145857
http://gitorious.org/fetchmail/fetchmail/commit/ec06293
http://seclists.org/oss-sec/2010/q2/76
|
18ce9a90-f269-11e1-be53-080027ef73ec | fetchmail -- chosen plaintext attack against SSL CBC initialization vectors
Matthias Andree reports:
Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL)
which contains a switch to disable a countermeasure against certain
attacks against block ciphers that permit guessing the
initialization vectors, providing that an attacker can make the
application (fetchmail) encrypt some data for him -- which is not
easily the case.
Stream ciphers (such as RC4) are unaffected.
Credits to Apple Product Security for reporting this.
Discovery 2012-01-19 Entry 2012-08-30 fetchmail
ge 6.3.9 lt 6.3.22
CVE-2011-3389
|
1d6410e8-06c1-11ec-a35d-03ca114d16d6 | fetchmail -- STARTTLS bypass vulnerabilities
Problem:
In certain circumstances, fetchmail 6.4.21 and older would
not encrypt the session using STARTTLS/STLS, and might not have
cleared session state across the TLS negotiation.
Discovery 2021-08-10 Entry 2021-08-26 fetchmail
< 6.4.22.r1
CVE-2021-39272
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
|
f7d838f2-9039-11e0-a051-080027ef73ec | fetchmail -- STARTTLS denial of service
Matthias Andree reports:
Fetchmail version 5.9.9 introduced STLS support for POP3,
version 6.0.0 added STARTTLS for IMAP. However, the actual
S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded
by a timeout.
Depending on the operating system defaults as to TCP stream
keepalive mode, fetchmail hangs in excess of one week after
sending STARTTLS were observed if the connection failed without
notifying the operating system, for instance, through network
outages or hard server crashes.
A malicious server that does not respond, at the network level,
after acknowledging fetchmail's STARTTLS or STLS request, can
hold fetchmail in this protocol state, and thus render fetchmail
unable to complete the poll, or proceed to the next server,
effecting a denial of service.
SSL-wrapped mode on dedicated ports was unaffected by this
problem, so can be used as a workaround.
Discovery 2011-04-28 Entry 2011-06-06 fetchmail
< 6.3.20
CVE-2011-1947
http://www.fetchmail.info/fetchmail-SA-2011-01.txt
https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314
|
83f9e943-e664-11e1-a66d-080027ef73ec | fetchmail -- two vulnerabilities in NTLM authentication
Matthias Andree reports:
With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.
Also, with a carefully crafted NTLM challenge, a malicious server
might cause fetchmail to read from a bad memory location, betraying
confidential data. It is deemed hard, although not impossible, to
steal other accounts' data.
Discovery 2012-08-12 Entry 2012-08-14 Modified 2012-08-27 fetchmail
ge 5.0.8 lt 6.3.21_1
CVE-2012-3482
|