| VuXML ID | Description |
|---|
| 5238ac45-9d8c-11db-858b-0060084a00e5 | fetchmail -- TLS enforcement problem/MITM attack/password exposure
Matthias Andree reports:
Fetchmail has had several longstanding password disclosure
vulnerabilities.
- sslcertck/sslfingerprint options should have implied
"sslproto tls1" in order to enforce TLS negotiation,
but did not.
- Even with "sslproto tls1" in the config, fetches
would go ahead in plain text if STLS/STARTTLS wasn't available
(not advertised, or advertised but rejected).
- POP3 fetches could completely ignore all TLS options
whether available or not because it didn't reliably issue
CAPA before checking for STLS support - but CAPA is a
requisite for STLS. Whether or not CAPAbilities were probed,
depended on the "auth" option. (Fetchmail only
tried CAPA if the auth option was not set at all, was set
to gssapi, kerberos, kerberos_v4, otp, or cram-md5.)
- POP3 could fall back to using plain text passwords, even
if strong authentication had been configured.
- POP2 would not complain if strong authentication or TLS
had been requested.
Discovery 2007-01-04
Entry 2007-01-06
fetchmail
< 6.3.6
CVE-2006-5867
http://www.fetchmail.info/fetchmail-SA-2006-02.txt
|
| 45500f74-5947-11dc-87c1-000e2e5785ad | fetchmail -- denial of service on reject of local warning message
Matthias Andree reports:
fetchmail will generate warning messages in certain
circumstances (for instance, when leaving oversized messages
on the server or login to the upstream fails) and send them
to the local postmaster or the user running it.
If this warning message is then refused by the SMTP listener
that fetchmail is forwarding the message to, fetchmail
crashes and does not collect further messages until it is
restarted.
Discovery 2007-07-29
Entry 2007-09-02
fetchmail
ge 4.6.8 lt 6.3.8_4
CVE-2007-4565
http://www.fetchmail.info/fetchmail-SA-2007-02.txt
|
| 168190df-3e9a-11dd-87bc-000ea69a5213 | fetchmail -- potential crash in -v -v verbose mode
Matthias Andree reports:
Gunter Nau reported fetchmail crashing on some messages; further
debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic
dug up that this happened when fetchmail was trying to print, in
-v -v verbose level, headers exceeding 2048 bytes. In this
situation, fetchmail would resize the buffer and fill in further
parts of the message, but forget to reinitialize its va_list
typed source pointer, thus reading data from a garbage address found
on the stack at addresses above the function arguments the caller
passed in; usually that would be the caller's stack frame.
Discovery 2008-06-13
Entry 2008-06-20
fetchmail
< 6.3.8_6
CVE-2008-2711
http://www.fetchmail.info/fetchmail-SA-2008-01.txt
|
| cbfd1874-efea-11eb-8fe9-036bd763ff35 | fetchmail -- 6.4.19 and older denial of service or information disclosure
Matthias Andree reports:
When a log message exceeds c. 2 kByte in size, for instance, with very long
header contents, and depending on verbosity option, fetchmail can crash or
misreport each first log message that requires a buffer reallocation.
Discovery 2021-07-07
Entry 2021-07-28
Modified 2021-08-03
fetchmail
< 6.3.9
ge 6.3.17 lt 6.4.20
CVE-2021-36386
CVE-2008-2711
https://sourceforge.net/p/fetchmail/mailman/message/37327392/
|
| 5179d85c-8683-11de-91b9-0022157515b2 | fetchmail -- improper SSL certificate subject verification
Matthias Andree reports:
Moxie Marlinspike demonstrated in July 2009 that some CAs would
sign certificates that contain embedded NUL characters in the
Common Name or subjectAltName fields of ITU-T X.509
certificates.
Applications that would treat such X.509 strings as
NUL-terminated C strings (rather than strings that contain an
explicit length field) would only check the part up to and
excluding the NUL character, so that certificate names such as
www.good.example\0www.bad.example.com would be mistaken as a
certificate name for www.good.example. fetchmail also had this
design and implementation flaw.
Discovery 2009-08-06
Entry 2009-08-11
Modified 2009-08-13
fetchmail
< 6.3.11
CVE-2009-2666
http://www.fetchmail.info/fetchmail-SA-2009-01.txt
|
| 09910d76-4c82-11df-83fb-0015587e2cc1 | fetchmail -- denial of service vulnerability
Fetchmail developer Matthias Andree reported a vulnerability
that allows remote attackers to crash the application
when it is runs in verbose mode.
Fetchmail before release 6.3.17 did not properly
sanitize external input (mail headers and UID). When a
multi-character locale (such as UTF-8) was in use, this
could cause memory exhaustion and thus a denial of
service.
Discovery 2010-04-18
Entry 2010-04-20
fetchmail
ge 4.6.3 le 6.3.16
CVE-2010-1167
ports/145857
http://gitorious.org/fetchmail/fetchmail/commit/ec06293
http://seclists.org/oss-sec/2010/q2/76
|
| 83f9e943-e664-11e1-a66d-080027ef73ec | fetchmail -- two vulnerabilities in NTLM authentication
Matthias Andree reports:
With NTLM support enabled, fetchmail might mistake a server-side
error message during NTLM protocol exchange for protocol data,
leading to a SIGSEGV.
Also, with a carefully crafted NTLM challenge, a malicious server
might cause fetchmail to read from a bad memory location, betraying
confidential data. It is deemed hard, although not impossible, to
steal other accounts' data.
Discovery 2012-08-12
Entry 2012-08-14
Modified 2012-08-27
fetchmail
ge 5.0.8 lt 6.3.21_1
CVE-2012-3482
|
| f1c4d133-e6d3-11db-99ea-0060084a00e5 | fetchmail -- insecure APOP authentication
Matthias Andree reports:
The POP3 standard, currently RFC-1939, has specified an optional,
MD5-based authentication scheme called "APOP" which no longer
should be considered secure.
Additionally, fetchmail's POP3 client implementation has been
validating the APOP challenge too lightly and accepted random
garbage as a POP3 server's APOP challenge. This made it easier
than necessary for man-in-the-middle attackers to retrieve by
several probing and guessing the first three characters of the
APOP secret, bringing brute forcing the remaining characters well
within reach.
Discovery 2007-04-06
Entry 2007-04-09
fetchmail
< 6.3.8
CVE-2007-1558
http://www.fetchmail.info/fetchmail-SA-2007-01.txt
|
| 1e8e63c0-478a-11dd-a88d-000ea69a5213 | fetchmail -- potential crash in -v -v verbose mode (revised patch)
Matthias Andree reports:
2008-06-24 1.2 also fixed issue in report_complete (reported by
Petr Uzel)
Discovery 2008-06-24
Entry 2008-07-01
fetchmail
< 6.3.8_7
CVE-2008-2711
http://www.fetchmail.info/fetchmail-SA-2008-01.txt
|
| 1d6410e8-06c1-11ec-a35d-03ca114d16d6 | fetchmail -- STARTTLS bypass vulnerabilities
Problem:
In certain circumstances, fetchmail 6.4.21 and older would
not encrypt the session using STARTTLS/STLS, and might not have
cleared session state across the TLS negotiation.
Discovery 2021-08-10
Entry 2021-08-26
fetchmail
< 6.4.22.r1
CVE-2021-39272
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
|
| f7d838f2-9039-11e0-a051-080027ef73ec | fetchmail -- STARTTLS denial of service
Matthias Andree reports:
Fetchmail version 5.9.9 introduced STLS support for POP3,
version 6.0.0 added STARTTLS for IMAP. However, the actual
S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded
by a timeout.
Depending on the operating system defaults as to TCP stream
keepalive mode, fetchmail hangs in excess of one week after
sending STARTTLS were observed if the connection failed without
notifying the operating system, for instance, through network
outages or hard server crashes.
A malicious server that does not respond, at the network level,
after acknowledging fetchmail's STARTTLS or STLS request, can
hold fetchmail in this protocol state, and thus render fetchmail
unable to complete the poll, or proceed to the next server,
effecting a denial of service.
SSL-wrapped mode on dedicated ports was unaffected by this
problem, so can be used as a workaround.
Discovery 2011-04-28
Entry 2011-06-06
fetchmail
< 6.3.20
CVE-2011-1947
http://www.fetchmail.info/fetchmail-SA-2011-01.txt
https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314
|