fetchmail-6.3.26-13.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10194 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z fetchmail-6.3.26-13.4 on GA media These are all security issues fixed in the fetchmail-6.3.26-13.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10194 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10194 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-2666/ SUSE CVE CVE-2009-2666 page https://www.suse.com/security/cve/CVE-2010-1167/ SUSE CVE CVE-2010-1167 page https://www.suse.com/security/cve/CVE-2011-1947/ SUSE CVE CVE-2011-1947 page https://www.suse.com/security/cve/CVE-2011-3389/ SUSE CVE CVE-2011-3389 page https://www.suse.com/security/cve/CVE-2012-3482/ SUSE CVE CVE-2012-3482 page openSUSE Tumbleweed fetchmail-6.3.26-13.4 fetchmailconf-6.3.26-13.4 fetchmail-6.3.26-13.4 as a component of openSUSE Tumbleweed fetchmailconf-6.3.26-13.4 as a component of openSUSE Tumbleweed socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVE-2009-2666 openSUSE Tumbleweed:fetchmail-6.3.26-13.4 openSUSE Tumbleweed:fetchmailconf-6.3.26-13.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2666.html CVE-2009-2666 https://bugzilla.suse.com/528746 SUSE Bug 528746 fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. CVE-2010-1167 openSUSE Tumbleweed:fetchmail-6.3.26-13.4 openSUSE Tumbleweed:fetchmailconf-6.3.26-13.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-1167.html CVE-2010-1167 https://bugzilla.suse.com/597673 SUSE Bug 597673 fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. CVE-2011-1947 openSUSE Tumbleweed:fetchmail-6.3.26-13.4 openSUSE Tumbleweed:fetchmailconf-6.3.26-13.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1947.html CVE-2011-1947 https://bugzilla.suse.com/697368 SUSE Bug 697368 The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVE-2011-3389 openSUSE Tumbleweed:fetchmail-6.3.26-13.4 openSUSE Tumbleweed:fetchmailconf-6.3.26-13.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3389.html CVE-2011-3389 https://bugzilla.suse.com/716002 SUSE Bug 716002 https://bugzilla.suse.com/719047 SUSE Bug 719047 https://bugzilla.suse.com/725167 SUSE Bug 725167 https://bugzilla.suse.com/726096 SUSE Bug 726096 https://bugzilla.suse.com/739248 SUSE Bug 739248 https://bugzilla.suse.com/739256 SUSE Bug 739256 https://bugzilla.suse.com/742306 SUSE Bug 742306 https://bugzilla.suse.com/751718 SUSE Bug 751718 https://bugzilla.suse.com/759666 SUSE Bug 759666 https://bugzilla.suse.com/763598 SUSE Bug 763598 https://bugzilla.suse.com/814655 SUSE Bug 814655 Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read. CVE-2012-3482 openSUSE Tumbleweed:fetchmail-6.3.26-13.4 openSUSE Tumbleweed:fetchmailconf-6.3.26-13.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3482.html CVE-2012-3482 https://bugzilla.suse.com/775988 SUSE Bug 775988