fetchmail-6.4.21-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10753 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z fetchmail-6.4.21-2.1 on GA media These are all security issues fixed in the fetchmail-6.4.21-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10753 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10753 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2006-0321/ SUSE CVE CVE-2006-0321 page https://www.suse.com/security/cve/CVE-2006-5867/ SUSE CVE CVE-2006-5867 page https://www.suse.com/security/cve/CVE-2006-5974/ SUSE CVE CVE-2006-5974 page https://www.suse.com/security/cve/CVE-2007-1558/ SUSE CVE CVE-2007-1558 page https://www.suse.com/security/cve/CVE-2007-4565/ SUSE CVE CVE-2007-4565 page https://www.suse.com/security/cve/CVE-2021-36386/ SUSE CVE CVE-2021-36386 page openSUSE Tumbleweed fetchmail-6.4.21-2.1 fetchmailconf-6.4.21-2.1 fetchmail-6.4.21-2.1 as a component of openSUSE Tumbleweed fetchmailconf-6.4.21-2.1 as a component of openSUSE Tumbleweed fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. CVE-2006-0321 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-0321.html CVE-2006-0321 https://bugzilla.suse.com/140475 SUSE Bug 140475 fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. CVE-2006-5867 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-5867.html CVE-2006-5867 https://bugzilla.suse.com/223507 SUSE Bug 223507 fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions. CVE-2006-5974 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2006-5974.html CVE-2006-5974 https://bugzilla.suse.com/223507 SUSE Bug 223507 https://bugzilla.suse.com/239002 SUSE Bug 239002 The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products. CVE-2007-1558 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-1558.html CVE-2007-1558 https://bugzilla.suse.com/262450 SUSE Bug 262450 https://bugzilla.suse.com/271197 SUSE Bug 271197 https://bugzilla.suse.com/279843 SUSE Bug 279843 https://bugzilla.suse.com/281321 SUSE Bug 281321 https://bugzilla.suse.com/281323 SUSE Bug 281323 sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP. CVE-2007-4565 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2007-4565.html CVE-2007-4565 https://bugzilla.suse.com/308271 SUSE Bug 308271 report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user. CVE-2021-36386 openSUSE Tumbleweed:fetchmail-6.4.21-2.1 openSUSE Tumbleweed:fetchmailconf-6.4.21-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-36386.html CVE-2021-36386 https://bugzilla.suse.com/1188875 SUSE Bug 1188875 https://bugzilla.suse.com/1224188 SUSE Bug 1224188