ID CVE-2005-4348 Type cve Reporter NVD Modified 2017-10-10T21:30:30
Description
fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.
{"result": {"nessus": [{"id": "UBUNTU_USN-233-1.NASL", "type": "nessus", "title": "Ubuntu 4.10 / 5.04 / 5.10 : fetchmail vulnerability (USN-233-1)", "description": "Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in 'multidrop' mode, a malicious email server could cause a crash by sending an email without any headers.\nSince fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2006-01-21T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20777", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-10-29T13:41:04"}, {"id": "MANDRAKE_MDKSA-2005-236.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : fetchmail (MDKSA-2005:236)", "description": "Fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a DoS (application crash) by sending messages without headers from upstream mail servers.\n\nThe updated packages have been patched to correct this problem.", "published": "2006-01-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20467", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-10-29T13:46:06"}, {"id": "DEBIAN_DSA-939.NASL", "type": "nessus", "title": "Debian DSA-939-1 : fetchmail - programming error", "description": "Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers.\n\nThe old stable distribution (woody) does not seem to be affected by this problem.", "published": "2006-10-14T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22805", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-10-29T13:36:58"}, {"id": "FREEBSD_PKG_F7EB0B23709911DAA15C0060084A00E5.NASL", "type": "nessus", "title": "FreeBSD : fetchmail -- NULL pointer dereference in multidrop mode with headerless email (f7eb0b23-7099-11da-a15c-0060084a00e5)", "description": "The fetchmail team reports :\n\nFetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as 'previously fetched', it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients.", "published": "2006-05-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=21541", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-10-29T13:43:57"}, {"id": "REDHAT-RHSA-2007-0018.NASL", "type": "nessus", "title": "RHEL 2.1 / 3 / 4 : fetchmail (RHSA-2007:0018)", "description": "Updated fetchmail packages that fix two security issues are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nFetchmail is a remote mail retrieval and forwarding utility.\n\nA denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\n\nA flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the 'sslproto' configuration directive is set to 'tls1'.\n\nUsers of Fetchmail should update to these packages, which contain backported patches to correct these issues.\n\nNote: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the 'sslproto' directive is set to 'tls1'. If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update.", "published": "2007-02-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24316", "cvelist": ["CVE-2006-5867", "CVE-2005-4348"], "lastseen": "2017-10-29T13:41:28"}, {"id": "ORACLELINUX_ELSA-2007-0018.NASL", "type": "nessus", "title": "Oracle Linux 3 / 4 : fetchmail (ELSA-2007-0018)", "description": "From Red Hat Security Advisory 2007:0018 :\n\nUpdated fetchmail packages that fix two security issues are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nFetchmail is a remote mail retrieval and forwarding utility.\n\nA denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\n\nA flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the 'sslproto' configuration directive is set to 'tls1'.\n\nUsers of Fetchmail should update to these packages, which contain backported patches to correct these issues.\n\nNote: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the 'sslproto' directive is set to 'tls1'. If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update.", "published": "2013-07-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67440", "cvelist": ["CVE-2006-5867", "CVE-2005-4348"], "lastseen": "2017-10-29T13:34:07"}, {"id": "CENTOS_RHSA-2007-0018.NASL", "type": "nessus", "title": "CentOS 3 / 4 : fetchmail (CESA-2007:0018)", "description": "Updated fetchmail packages that fix two security issues are now available.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nFetchmail is a remote mail retrieval and forwarding utility.\n\nA denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\n\nA flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the 'sslproto' configuration directive is set to 'tls1'.\n\nUsers of Fetchmail should update to these packages, which contain backported patches to correct these issues.\n\nNote: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the 'sslproto' directive is set to 'tls1'. If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update.", "published": "2007-02-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24286", "cvelist": ["CVE-2006-5867", "CVE-2005-4348"], "lastseen": "2017-10-29T13:43:55"}, {"id": "SUSE_FETCHMAIL-2602.NASL", "type": "nessus", "title": "openSUSE 10 Security Update : fetchmail (fetchmail-2602)", "description": "Three security issues have been fixed in fetchmail :\n\nCVE-2005-4348: fetchmail when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.\n\nCVE-2006-5867: fetchmail did not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.\n\nCVE-2006-5974: fetchmail when refusing a message delivered via the mda option, allowed remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the ferror or fflush functions.", "published": "2007-10-17T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=27213", "cvelist": ["CVE-2006-5867", "CVE-2005-4348", "CVE-2006-5974"], "lastseen": "2017-10-29T13:38:36"}, {"id": "SLACKWARE_SSA_2006-045-01.NASL", "type": "nessus", "title": "Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : fetchmail (SSA:2006-045-01)", "description": "New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.", "published": "2006-02-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=20912", "cvelist": ["CVE-2006-0321", "CVE-2005-3088", "CVE-2005-4348"], "lastseen": "2017-10-29T13:41:36"}, {"id": "SUSE_FETCHMAIL-2608.NASL", "type": "nessus", "title": "SuSE 10 Security Update : fetchmail (ZYPP Patch Number 2608)", "description": "Three security issues have been fixed in fetchmail :\n\n - fetchmail when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. (CVE-2005-4348)\n\n - fetchmail did not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. (CVE-2006-5867)\n\n - fetchmail when refusing a message delivered via the mda option, allowed remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the ferror or fflush functions. (CVE-2006-5974)", "published": "2007-12-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=29425", "cvelist": ["CVE-2006-5867", "CVE-2005-4348", "CVE-2006-5974"], "lastseen": "2017-10-29T13:39:34"}], "osvdb": [{"id": "OSVDB:21906", "type": "osvdb", "title": "Fetchmail Multidrop Mode Headerless Message Remote DoS", "description": "## Vulnerability Description\nFetchmail contains a flaw that may allow a remote denial of service. The issue is triggered when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers, and will result in a loss of availability for the application.\n## Solution Description\nUpgrade to version 6.2.5.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nFetchmail contains a flaw that may allow a remote denial of service. The issue is triggered when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers, and will result in a loss of availability for the application.\n## References:\n[Vendor Specific Advisory URL](http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\n[Vendor Specific Advisory URL](http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.443499)\nSecurity Tracker: 1015383\n[Secunia Advisory ID:18433](https://secuniaresearch.flexerasoftware.com/advisories/18433/)\n[Secunia Advisory ID:24007](https://secuniaresearch.flexerasoftware.com/advisories/24007/)\n[Secunia Advisory ID:24284](https://secuniaresearch.flexerasoftware.com/advisories/24284/)\n[Secunia Advisory ID:24506](https://secuniaresearch.flexerasoftware.com/advisories/24506/)\n[Secunia Advisory ID:17891](https://secuniaresearch.flexerasoftware.com/advisories/17891/)\n[Secunia Advisory ID:18231](https://secuniaresearch.flexerasoftware.com/advisories/18231/)\n[Secunia Advisory ID:18463](https://secuniaresearch.flexerasoftware.com/advisories/18463/)\n[Secunia Advisory ID:18895](https://secuniaresearch.flexerasoftware.com/advisories/18895/)\n[Secunia Advisory ID:18172](https://secuniaresearch.flexerasoftware.com/advisories/18172/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:18266](https://secuniaresearch.flexerasoftware.com/advisories/18266/)\nRedHat RHSA: RHSA-2007:0018\nOther Advisory URL: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt\nOther Advisory URL: http://www.debian.org/security/2006/dsa-939\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20070201-01-P.asc\nOther Advisory URL: http://www.ubuntulinux.org/usn/usn-233-1\nOther Advisory URL: http://www.trustix.org/errata/2006/0002/\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2007-Mar/0005.html\nOther Advisory URL: http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:236\nMail List Post: http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0077.html\n[CVE-2005-4348](https://vulners.com/cve/CVE-2005-4348)\n", "published": "2005-12-19T02:41:10", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:21906", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-04-28T13:20:18"}], "debian": [{"id": "DSA-939", "type": "debian", "title": "fetchmail -- programming error", "description": "Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers.\n\nThe old stable distribution (woody) does not seem to be affected by this problem.\n\nFor the stable distribution (sarge) this problem has been fixed in version 6.2.5-12sarge4.\n\nFor the unstable distribution (sid) this problem has been fixed in version 6.3.1-1.\n\nWe recommend that you upgrade your fetchmail package.", "published": "2006-01-13T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-939", "cvelist": ["CVE-2005-4348"], "lastseen": "2016-09-02T18:20:07"}], "openvas": [{"id": "OPENVAS:56144", "type": "openvas", "title": "Debian Security Advisory DSA 939-1 (fetchmail)", "description": "The remote host is missing an update to fetchmail\nannounced via advisory DSA 939-1.\n\nDaniel Drake discovered a problem in fetchmail, an SSL enabled POP3,\nAPOP, IMAP mail gatherer/forwarder, that can cause a crash when the\nprogram is running in multidrop mode and receives messages without\nheaders.\n\nThe old stable distribution (woody) does not seem to be affected by\nthis problem.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=56144", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-07-24T12:50:00"}, {"id": "OPENVAS:56050", "type": "openvas", "title": "FreeBSD Ports: fetchmail", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=56050", "cvelist": ["CVE-2005-4348"], "lastseen": "2017-07-02T21:10:09"}, {"id": "OPENVAS:136141256231065178", "type": "openvas", "title": "SLES9: Security update for fetchmail", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n fetchmail\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012567 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065178", "cvelist": ["CVE-2006-5867", "CVE-2005-4348", "CVE-2006-5974"], "lastseen": "2018-04-06T11:39:09"}, {"id": "OPENVAS:56288", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-01 fetchmail", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-01.", "published": "2012-09-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=56288", "cvelist": ["CVE-2006-0321", "CVE-2005-3088", "CVE-2005-4348"], "lastseen": "2017-07-24T12:50:44"}, {"id": "OPENVAS:136141256231056288", "type": "openvas", "title": "Slackware Advisory SSA:2006-045-01 fetchmail", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-045-01.", "published": "2012-09-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231056288", "cvelist": ["CVE-2006-0321", "CVE-2005-3088", "CVE-2005-4348"], "lastseen": "2018-04-06T11:18:00"}, {"id": "OPENVAS:65178", "type": "openvas", "title": "SLES9: Security update for fetchmail", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n fetchmail\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012567 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "published": "2009-10-10T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=65178", "cvelist": ["CVE-2006-5867", "CVE-2005-4348", "CVE-2006-5974"], "lastseen": "2017-07-26T08:55:51"}], "ubuntu": [{"id": "USN-233-1", "type": "ubuntu", "title": "fetchmail vulnerability", "description": "Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in \u2018multidrop\u2019 mode, a malicious email server could cause a crash by sending an email without any headers. Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.", "published": "2006-01-03T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/233-1/", "cvelist": ["CVE-2005-4348"], "lastseen": "2018-03-29T18:17:19"}], "freebsd": [{"id": "F7EB0B23-7099-11DA-A15C-0060084A00E5", "type": "freebsd", "title": "fetchmail -- null pointer dereference in multidrop mode with headerless email", "description": "\nThe fetchmail team reports:\n\nFetchmail contains a bug that causes an application crash\n\t when fetchmail is configured for multidrop mode and the\n\t upstream mail server sends a message without headers. As\n\t fetchmail does not record this message as \"previously fetched\",\n\t it will crash with the same message if it is re-executed, so it\n\t cannot make progress. A malicious or broken-into upstream server\n\t could thus cause a denial of service in fetchmail clients.\n\n", "published": "2005-12-19T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/f7eb0b23-7099-11da-a15c-0060084a00e5.html", "cvelist": ["CVE-2005-4348"], "lastseen": "2016-09-26T17:25:09"}], "centos": [{"id": "CESA-2007:0018", "type": "centos", "title": "fetchmail security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:0018\n\n\nFetchmail is a remote mail retrieval and forwarding utility.\r\n\r\nA denial of service flaw was found when Fetchmail was run in multidrop\r\nmode. A malicious mail server could send a message without headers which\r\nwould cause Fetchmail to crash (CVE-2005-4348). This issue did not affect\r\nthe version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\r\n\r\nA flaw was found in the way Fetchmail used TLS encryption to connect to\r\nremote hosts. Fetchmail provided no way to enforce the use of TLS\r\nencryption and would not authenticate POP3 protocol connections properly\r\n(CVE-2006-5867). This update corrects this issue by enforcing TLS\r\nencryption when the \"sslproto\" configuration directive is set to \"tls1\". \r\n\r\nUsers of Fetchmail should update to these packages, which contain \r\nbackported patches to correct these issues.\r\n\r\nNote: This update may break configurations which assumed that Fetchmail\r\nwould use plain-text authentication if TLS encryption is not supported by\r\nthe POP3 server even if the \"sslproto\" directive is set to \"tls1\". If you\r\nare using a custom configuration that depended on this behavior you will\r\nneed to modify your configuration appropriately after installing this update.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-February/013496.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-February/013498.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-February/013499.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013489.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013490.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013491.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013492.html\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013493.html\n\n**Affected packages:**\nfetchmail\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2007-0018.html", "published": "2007-01-31T18:34:21", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2007-January/013489.html", "cvelist": ["CVE-2006-5867", "CVE-2005-4348"], "lastseen": "2017-10-03T18:25:07"}, {"id": "CESA-2007:0018-01", "type": "centos", "title": "fetchmail, fetchmailconf security update", "description": "**CentOS Errata and Security Advisory** CESA-2007:0018-01\n\n\nFetchmail is a remote mail retrieval and forwarding utility.\r\n\r\nA denial of service flaw was found when Fetchmail was run in multidrop\r\nmode. A malicious mail server could send a message without headers which\r\nwould cause Fetchmail to crash (CVE-2005-4348). This issue did not affect\r\nthe version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\r\n\r\nA flaw was found in the way Fetchmail used TLS encryption to connect to\r\nremote hosts. Fetchmail provided no way to enforce the use of TLS\r\nencryption and would not authenticate POP3 protocol connections properly\r\n(CVE-2006-5867). This update corrects this issue by enforcing TLS\r\nencryption when the \"sslproto\" configuration directive is set to \"tls1\". \r\n\r\nUsers of Fetchmail should update to these packages, which contain \r\nbackported patches to correct these issues.\r\n\r\nNote: This update may break configurations which assumed that Fetchmail\r\nwould use plain-text authentication if TLS encryption is not supported by\r\nthe POP3 server even if the \"sslproto\" directive is set to \"tls1\". If you\r\nare using a custom configuration that depended on this behavior you will\r\nneed to modify your configuration appropriately after installing this update.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2007-January/013495.html\n\n**Affected packages:**\nfetchmail\nfetchmailconf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "published": "2007-01-31T22:51:28", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2007-January/013495.html", "cvelist": ["CVE-2006-5867", "CVE-2005-4348"], "lastseen": "2017-10-03T18:25:55"}], "redhat": [{"id": "RHSA-2007:0018", "type": "redhat", "title": "(RHSA-2007:0018) Moderate: fetchmail security update", "description": "Fetchmail is a remote mail retrieval and forwarding utility.\r\n\r\nA denial of service flaw was found when Fetchmail was run in multidrop\r\nmode. A malicious mail server could send a message without headers which\r\nwould cause Fetchmail to crash (CVE-2005-4348). This issue did not affect\r\nthe version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.\r\n\r\nA flaw was found in the way Fetchmail used TLS encryption to connect to\r\nremote hosts. Fetchmail provided no way to enforce the use of TLS\r\nencryption and would not authenticate POP3 protocol connections properly\r\n(CVE-2006-5867). This update corrects this issue by enforcing TLS\r\nencryption when the \"sslproto\" configuration directive is set to \"tls1\". \r\n\r\nUsers of Fetchmail should update to these packages, which contain \r\nbackported patches to correct these issues.\r\n\r\nNote: This update may break configurations which assumed that Fetchmail\r\nwould use plain-text authentication if TLS encryption is not supported by\r\nthe POP3 server even if the \"sslproto\" directive is set to \"tls1\". If you\r\nare using a custom configuration that depended on this behavior you will\r\nneed to modify your configuration appropriately after installing this update.", "published": "2007-01-31T05:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2007:0018", "cvelist": ["CVE-2005-4348", "CVE-2006-5867"], "lastseen": "2018-05-11T21:14:16"}], "slackware": [{"id": "SSA-2006-045-01", "type": "slackware", "title": "fetchmail", "description": "New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix security issues.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/fetchmail-6.3.2-i486-1.tgz: Upgraded to fetchmail-6.3.2.\n Presumably this replaces all the known security problems with\n a batch of new unknown ones. (fetchmail is improving, really ;-)\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3088\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4348\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0321\n (* Security fix *)\n\nWhere to find the new packages:\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/fetchmail-6.3.2-i386-1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/fetchmail-6.3.2-i386-1.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/fetchmail-6.3.2-i486-1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/fetchmail-6.3.2-i486-1.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/fetchmail-6.3.2-i486-1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/fetchmail-6.3.2-i486-1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/fetchmail-6.3.2-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\n51c338a1fc1dc25c3e23a02036ceb183 fetchmail-6.3.2-i386-1.tgz\n\nSlackware 9.0 package:\n6cf66d2b3e663ca13708945485b3ee60 fetchmail-6.3.2-i386-1.tgz\n\nSlackware 9.1 package:\n7d35c3233ae47524f868a7df5d06e909 fetchmail-6.3.2-i486-1.tgz\n\nSlackware 10.0 package:\n1e93e387406f3d57c9a76969f90d0d45 fetchmail-6.3.2-i486-1.tgz\n\nSlackware 10.1 package:\na2fb5c20ed4a91f4b9e6eaa9f1120a51 fetchmail-6.3.2-i486-1.tgz\n\nSlackware 10.2 package:\n6c14da4b4eefc2651c35ebeefc3b0357 fetchmail-6.3.2-i486-1.tgz\n\nSlackware -current package:\n8d49d3e6985c78831a37f3c4b8d51279 fetchmail-6.3.2-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg fetchmail-6.3.2-i486-1.tgz", "published": "2006-02-14T16:26:01", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.443499", "cvelist": ["CVE-2006-0321", "CVE-2005-3088", "CVE-2005-4348"], "lastseen": "2018-02-02T18:11:29"}], "oraclelinux": [{"id": "ELSA-2007-0018", "type": "oraclelinux", "title": "Moderate: fetchmail security update ", "description": " [6.2.5-6.el4.5]\n \n - Fix a KPOP support regression\n Related: #221985 #223661\n \n [6.2.5-6.el4.4]\n \n - Fix V2,V3,V4 of CAN-2006-5867\n Resolves: #221985\n \n [6.2.5-6.el4.3]\n \n - Fix CAN-2005-4348 (#176266)\n - Add BuildRequires: gettext-devel (#164351)\n \n [6.2.5-6.el4.1]\n \n - Fix CAN-2005-2335 (#163816, patch by Ludwig Nussel) ", "published": "2007-02-01T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2007-0018.html", "cvelist": ["CVE-2006-5867", "CVE-2005-4348", "CVE-2005-2335"], "lastseen": "2017-06-22T16:17:58"}]}}
