FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
09910d76-4c82-11df-83fb-0015587e2cc1fetchmail -- denial of service vulnerability

Fetchmail developer Matthias Andree reported a vulnerability that allows remote attackers to crash the application when it is runs in verbose mode.

Fetchmail before release 6.3.17 did not properly sanitize external input (mail headers and UID). When a multi-character locale (such as UTF-8) was in use, this could cause memory exhaustion and thus a denial of service.


Discovery 2010-04-18
Entry 2010-04-20
fetchmail
ge 4.6.3 le 6.3.16

CVE-2010-1167
ports/145857
http://gitorious.org/fetchmail/fetchmail/commit/ec06293
http://seclists.org/oss-sec/2010/q2/76
168190df-3e9a-11dd-87bc-000ea69a5213fetchmail -- potential crash in -v -v verbose mode

Matthias Andree reports:

Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame.


Discovery 2008-06-13
Entry 2008-06-20
fetchmail
< 6.3.8_6

CVE-2008-2711
http://www.fetchmail.info/fetchmail-SA-2008-01.txt
18ce9a90-f269-11e1-be53-080027ef73ecfetchmail -- chosen plaintext attack against SSL CBC initialization vectors

Matthias Andree reports:

Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case.

Stream ciphers (such as RC4) are unaffected.

Credits to Apple Product Security for reporting this.


Discovery 2012-01-19
Entry 2012-08-30
fetchmail
ge 6.3.9 lt 6.3.22

CVE-2011-3389
1d6410e8-06c1-11ec-a35d-03ca114d16d6fetchmail -- STARTTLS bypass vulnerabilities

Problem:

In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation.


Discovery 2021-08-10
Entry 2021-08-26
fetchmail
< 6.4.22.r1

CVE-2021-39272
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
1e8e63c0-478a-11dd-a88d-000ea69a5213fetchmail -- potential crash in -v -v verbose mode (revised patch)

Matthias Andree reports:

2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel)


Discovery 2008-06-24
Entry 2008-07-01
fetchmail
< 6.3.8_7

CVE-2008-2711
http://www.fetchmail.info/fetchmail-SA-2008-01.txt
2a6a966f-1774-11df-b5c1-0026189baca3fetchmail -- heap overflow on verbose X.509 display

Matthias Andree reports:

In verbose mode, fetchmail prints X.509 certificate subject and issuer information to the user, and counts and allocates a malloc() buffer for that purpose.

If the material to be displayed contains characters with high bit set and the platform treats the "char" type as signed, this can cause a heap buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex.


Discovery 2010-02-04
Entry 2010-02-12
fetchmail
ge 6.3.11 lt 6.3.14

38088
CVE-2010-0562
http://www.fetchmail.info/fetchmail-SA-2010-01.txt
https://lists.berlios.de/pipermail/fetchmail-announce/2010-February/000073.html
3497d7be-2fef-45f4-8162-9063751b573afetchmail -- remote root/code injection from malicious POP3 server

fetchmail's POP3/UIDL code does not truncate received UIDs properly. A malicious or compromised POP3 server can thus corrupt fetchmail's stack and inject code when fetchmail is using UIDL, either through configuration, or as a result of certain server capabilities. Note that fetchmail is run as root on some sites, so an attack might compromise the root account and thus the whole machine.


Discovery 2005-07-20
Entry 2005-07-20
Modified 2005-07-21
fetchmail
< 6.2.5.1

CVE-2005-2335
ports/83805
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
http://www.fetchmail.info/fetchmail-SA-2005-01.txt
37e30313-9d8c-11db-858b-0060084a00e5fetchmail -- crashes when refusing a message bound for an MDA

Matthias Andree reports:

When delivering messages to a message delivery agent by means of the "mda" option, fetchmail can crash (by passing a NULL pointer to ferror() and fflush()) when refusing a message. SMTP and LMTP delivery modes aren't affected.


Discovery 2007-01-04
Entry 2007-01-06
fetchmail
ge 6.3.5 lt 6.3.6

CVE-2006-5974
http://www.fetchmail.info/fetchmail-SA-2006-03.txt
3f4ac724-fa8b-11d9-afcf-0060084a00e5fetchmail -- denial of service/crash from malicious POP3 server

In fetchmail 6.2.5.1, the remote code injection via POP3 UIDL was fixed, but a denial of service attack was introduced:

Two possible NULL-pointer dereferences allow a malicious POP3 server to crash fetchmail by respondig with UID lines containing only the article number but no UID (in violation of RFC-1939), or a message without Message-ID when no UIDL support is available.


Discovery 2005-07-21
Entry 2005-07-22
fetchmail
eq 6.2.5.1

http://lists.berlios.de/pipermail/fetchmail-devel/2005-July/000397.html
http://www.fetchmail.info/fetchmail-SA-2005-01.txt
45500f74-5947-11dc-87c1-000e2e5785adfetchmail -- denial of service on reject of local warning message

Matthias Andree reports:

fetchmail will generate warning messages in certain circumstances (for instance, when leaving oversized messages on the server or login to the upstream fails) and send them to the local postmaster or the user running it.

If this warning message is then refused by the SMTP listener that fetchmail is forwarding the message to, fetchmail crashes and does not collect further messages until it is restarted.


Discovery 2007-07-29
Entry 2007-09-02
fetchmail
ge 4.6.8 lt 6.3.8_4

CVE-2007-4565
http://www.fetchmail.info/fetchmail-SA-2007-02.txt
5179d85c-8683-11de-91b9-0022157515b2fetchmail -- improper SSL certificate subject verification

Matthias Andree reports:

Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates.

Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\0www.bad.example.com would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw.


Discovery 2009-08-06
Entry 2009-08-11
Modified 2009-08-13
fetchmail
< 6.3.11

CVE-2009-2666
http://www.fetchmail.info/fetchmail-SA-2009-01.txt
5238ac45-9d8c-11db-858b-0060084a00e5fetchmail -- TLS enforcement problem/MITM attack/password exposure

Matthias Andree reports:

Fetchmail has had several longstanding password disclosure vulnerabilities.

  • sslcertck/sslfingerprint options should have implied "sslproto tls1" in order to enforce TLS negotiation, but did not.
  • Even with "sslproto tls1" in the config, fetches would go ahead in plain text if STLS/STARTTLS wasn't available (not advertised, or advertised but rejected).
  • POP3 fetches could completely ignore all TLS options whether available or not because it didn't reliably issue CAPA before checking for STLS support - but CAPA is a requisite for STLS. Whether or not CAPAbilities were probed, depended on the "auth" option. (Fetchmail only tried CAPA if the auth option was not set at all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.)
  • POP3 could fall back to using plain text passwords, even if strong authentication had been configured.
  • POP2 would not complain if strong authentication or TLS had been requested.

Discovery 2007-01-04
Entry 2007-01-06
fetchmail
< 6.3.6

CVE-2006-5867
http://www.fetchmail.info/fetchmail-SA-2006-02.txt
83f9e943-e664-11e1-a66d-080027ef73ecfetchmail -- two vulnerabilities in NTLM authentication

Matthias Andree reports:

With NTLM support enabled, fetchmail might mistake a server-side error message during NTLM protocol exchange for protocol data, leading to a SIGSEGV.

Also, with a carefully crafted NTLM challenge, a malicious server might cause fetchmail to read from a bad memory location, betraying confidential data. It is deemed hard, although not impossible, to steal other accounts' data.


Discovery 2012-08-12
Entry 2012-08-14
Modified 2012-08-27
fetchmail
ge 5.0.8 lt 6.3.21_1

CVE-2012-3482
ac4b9d18-67a9-11d8-80e3-0020ed76ef5afetchmail -- denial-of-service vulnerability

Dave Jones discovered a denial-of-service vulnerability in fetchmail. An email message containing a very long line could cause fetchmail to segfault due to missing NUL termination in transact.c.

Eric Raymond decided not to mention this issue in the release notes for fetchmail 6.2.5, but it was fixed there.


Discovery 2003-10-16
Entry 2004-02-25
Modified 2012-09-04
fetchmail
< 6.2.5

CVE-2003-0792
8843
http://xforce.iss.net/xforce/xfdb/13450
http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/fetchmail/patches/Attic/patch-rfc822_c?rev=1.1
af0296be-2455-11d8-82e5-0020ed76ef5afetchmail -- address parsing vulnerability

Fetchmail can be crashed by a malicious email message.


Discovery 2003-10-25
Entry 2003-10-25
Modified 2012-09-04
fetchmail
le 6.2.0

http://security.e-matters.de/advisories/052002.html
baf74e0b-497a-11da-a4f4-0060084a00e5fetchmail -- fetchmailconf local password exposure

The fetchmail team reports:

The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed the mode to 0600 (rw-------). Writing the file, which usually contains passwords, before making it unreadable to other users, can expose sensitive password information.


Discovery 2005-10-21
Entry 2005-10-30
fetchmail
< 6.2.5.2_1

CVE-2005-3088
http://www.fetchmail.info/fetchmail-SA-2005-02.txt
cbfd1874-efea-11eb-8fe9-036bd763ff35fetchmail -- 6.4.19 and older denial of service or information disclosure

Matthias Andree reports:

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.


Discovery 2021-07-07
Entry 2021-07-28
Modified 2021-08-03
fetchmail
< 6.3.9

ge 6.3.17 lt 6.4.20

CVE-2021-36386
CVE-2008-2711
https://sourceforge.net/p/fetchmail/mailman/message/37327392/
f11d3b22-88c6-11da-a7b2-0060084a00e5fetchmail -- crash when bouncing a message

Matthias Andree reports:

Fetchmail contains a bug that causes itself to crash when bouncing a message to the originator or to the local postmaster. The crash happens after the bounce message has been sent, when fetchmail tries to free the dynamic array of failed addresses, and calls the free() function with an invalid pointer.


Discovery 2006-01-22
Entry 2006-01-23
fetchmail
ge 6.3.0 lt 6.3.2

CVE-2006-0321
http://www.fetchmail.info/fetchmail-SA-2006-01.txt
http://bugs.debian.org/348747
f1c4d133-e6d3-11db-99ea-0060084a00e5fetchmail -- insecure APOP authentication

Matthias Andree reports:

The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP" which no longer should be considered secure.

Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepted random garbage as a POP3 server's APOP challenge. This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well within reach.


Discovery 2007-04-06
Entry 2007-04-09
fetchmail
< 6.3.8

CVE-2007-1558
http://www.fetchmail.info/fetchmail-SA-2007-01.txt
f7d838f2-9039-11e0-a051-080027ef73ecfetchmail -- STARTTLS denial of service

Matthias Andree reports:

Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround.


Discovery 2011-04-28
Entry 2011-06-06
fetchmail
< 6.3.20

CVE-2011-1947
http://www.fetchmail.info/fetchmail-SA-2011-01.txt
https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314
f7eb0b23-7099-11da-a15c-0060084a00e5fetchmail -- null pointer dereference in multidrop mode with headerless email

The fetchmail team reports:

Fetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as "previously fetched", it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients.


Discovery 2005-12-19
Entry 2005-12-19
fetchmail
< 6.3.1

CVE-2005-4348
http://www.fetchmail.info/fetchmail-SA-2005-03.txt
http://article.gmane.org/gmane.mail.fetchmail.user/7573
http://bugs.debian.org/343836