FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
1d6410e8-06c1-11ec-a35d-03ca114d16d6fetchmail -- STARTTLS bypass vulnerabilities

Problem:

In certain circumstances, fetchmail 6.4.21 and older would not encrypt the session using STARTTLS/STLS, and might not have cleared session state across the TLS negotiation.


Discovery 2021-08-10
Entry 2021-08-26
fetchmail
< 6.4.22.r1

CVE-2021-39272
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
cbfd1874-efea-11eb-8fe9-036bd763ff35fetchmail -- 6.4.19 and older denial of service or information disclosure

Matthias Andree reports:

When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation.


Discovery 2021-07-07
Entry 2021-07-28
Modified 2021-08-03
fetchmail
< 6.3.9

ge 6.3.17 lt 6.4.20

CVE-2021-36386
CVE-2008-2711
https://sourceforge.net/p/fetchmail/mailman/message/37327392/
18ce9a90-f269-11e1-be53-080027ef73ecfetchmail -- chosen plaintext attack against SSL CBC initialization vectors

Matthias Andree reports:

Fetchmail version 6.3.9 enabled "all SSL workarounds" (SSL_OP_ALL) which contains a switch to disable a countermeasure against certain attacks against block ciphers that permit guessing the initialization vectors, providing that an attacker can make the application (fetchmail) encrypt some data for him -- which is not easily the case.

Stream ciphers (such as RC4) are unaffected.

Credits to Apple Product Security for reporting this.


Discovery 2012-01-19
Entry 2012-08-30
fetchmail
ge 6.3.9 lt 6.3.22

CVE-2011-3389
83f9e943-e664-11e1-a66d-080027ef73ecfetchmail -- two vulnerabilities in NTLM authentication

Matthias Andree reports:

With NTLM support enabled, fetchmail might mistake a server-side error message during NTLM protocol exchange for protocol data, leading to a SIGSEGV.

Also, with a carefully crafted NTLM challenge, a malicious server might cause fetchmail to read from a bad memory location, betraying confidential data. It is deemed hard, although not impossible, to steal other accounts' data.


Discovery 2012-08-12
Entry 2012-08-14
Modified 2012-08-27
fetchmail
ge 5.0.8 lt 6.3.21_1

CVE-2012-3482