FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
18ce9a90-f269-11e1-be53-080027ef73ecfetchmail -- chosen plaintext attack against SSL CBC initialization vectors

Matthias Andree reports:

Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case.

Stream ciphers (such as RC4) are unaffected.

Credits to Apple Product Security for reporting this.


Discovery 2012-01-19
Entry 2012-08-30
fetchmail
ge 6.3.9 lt 6.3.22

CVE-2011-3389
1d6410e8-06c1-11ec-a35d-03ca114d16d6fetchmail -- STARTTLS bypass vulnerabilities

Problem:

In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation.


Discovery 2021-08-10
Entry 2021-08-26
fetchmail
< 6.4.22.r1

CVE-2021-39272
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
83f9e943-e664-11e1-a66d-080027ef73ecfetchmail -- two vulnerabilities in NTLM authentication

Matthias Andree reports:

With NTLM support enabled, fetchmail might mistake a server-side error message during NTLM protocol exchange for protocol data, leading to a SIGSEGV.

Also, with a carefully crafted NTLM challenge, a malicious server might cause fetchmail to read from a bad memory location, betraying confidential data. It is deemed hard, although not impossible, to steal other accounts' data.


Discovery 2012-08-12
Entry 2012-08-14
Modified 2012-08-27
fetchmail
ge 5.0.8 lt 6.3.21_1

CVE-2012-3482
f7d838f2-9039-11e0-a051-080027ef73ecfetchmail -- STARTTLS denial of service

Matthias Andree reports:

Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround.


Discovery 2011-04-28
Entry 2011-06-06
fetchmail
< 6.3.20

CVE-2011-1947
http://www.fetchmail.info/fetchmail-SA-2011-01.txt
https://gitorious.org/fetchmail/fetchmail/commit/7dc67b8cf06f74aa57525279940e180c99701314
cbfd1874-efea-11eb-8fe9-036bd763ff35fetchmail -- 6.4.19 and older denial of service or information disclosure

Matthias Andree reports:

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.


Discovery 2021-07-07
Entry 2021-07-28
Modified 2021-08-03
fetchmail
< 6.3.9

ge 6.3.17 lt 6.4.20

CVE-2021-36386
CVE-2008-2711
https://sourceforge.net/p/fetchmail/mailman/message/37327392/