Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200701-13
HistoryJan 22, 2007 - 12:00 a.m.

Fetchmail: Denial of Service and password disclosure

2007-01-2200:00:00
Gentoo Foundation
security.gentoo.org
20

0.131 Low

EPSS

Percentile

95.5%

JSON

Background

Fetchmail is a remote mail retrieval and forwarding utility.

Description

Neil Hoggarth has discovered that when delivering messages to a message delivery agent by means of the “mda” option, Fetchmail passes a NULL pointer to the ferror() and fflush() functions when refusing a message. Isaac Wilcox has discovered numerous means of plain-text password disclosure due to errors in secure connection establishment.

Impact

An attacker could deliver a message via Fetchmail to a message delivery agent configured to refuse the message, and crash the Fetchmail process. SMTP and LMTP delivery modes are not affected by this vulnerability. An attacker could also perform a Man-in-the-Middle attack, and obtain plain-text authentication credentials of users connecting to a Fetchmail process.

Workaround

There is no known workaround at this time.

Resolution

All fetchmail users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.6"
OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-mail/fetchmail< 6.3.6UNKNOWN

Related

openvas 21
nessus 15
slackware 1
fedora 2
altlinux 1
suse 1
ubuntucve 2
freebsd 2
debiancve 2
securityvulns 2
cve 2
debian 1
ubuntu 1
redhatcve 1
centos 2
redhat 1
oraclelinux 1
openvas
openvas
Fedora Update for fetchmail FEDORA-2007-042
2009-02-27 00:00:00
Slackware: Security Advisory (SSA:2007-024-01)
2012-09-10 00:00:00
Fedora Update for fetchmail FEDORA-2007-042
2009-02-27 00:00:00
nessus
nessus
Slackware 10.0 / 10.1 / 10.2 / 11.0 / 8.1 / 9.0 / 9.1 : fetchmail (SSA:2007-024-01)
2007-02-18 00:00:00
Fedora Core 6 : fetchmail-6.3.6-1.fc6 (2007-042)
2007-01-17 00:00:00
GLSA-200701-13 : Fetchmail: Denial of Service and password disclosure
2007-01-26 00:00:00
slackware
slackware
[slackware-security] fetchmail
2007-01-24 21:10:52
fedora
fedora
[SECURITY] Fedora Core 6 Update: fetchmail-6.3.6-1.fc6
2007-01-16 17:50:52
[SECURITY] Fedora Core 5 Update: fetchmail-6.3.6-1.fc5
2007-01-16 17:50:33
altlinux
altlinux
Security fix for the ALT Linux 6 package fetchmail version 6.3.6-alt1
2007-01-08 00:00:00
suse
suse
local privilege escalation in XFree86-server,xorg-x11-server,xloader
2007-01-12 17:40:25
ubuntucve
ubuntucve
CVE-2006-5974
2006-12-31 00:00:00
CVE-2006-5867
2006-12-31 00:00:00
freebsd
freebsd
fetchmail -- crashes when refusing a message bound for an MDA
2007-01-04 00:00:00
fetchmail -- TLS enforcement problem/MITM attack/password exposure
2007-01-04 00:00:00
debiancve
debiancve
CVE-2006-5974
2006-12-31 05:00:00
CVE-2006-5867
2006-12-31 05:00:00
securityvulns
securityvulns
fetchmail security announcement 2006-02 &#40;CVE-2006-5867&#41;
2007-01-07 00:00:00
fetchmail security announcement 2006-03 &#40;CVE-2006-5974&#41;
2007-01-07 00:00:00
cve
cve
CVE-2006-5867
2006-12-31 05:00:00
CVE-2006-5974
2006-12-31 05:00:00
debian
debian
[SECURITY] [DSA 1259-1] New fetchmail packages fix information disclosure
2007-02-14 00:00:00
ubuntu
ubuntu
fetchmail vulnerability
2007-01-11 00:00:00
redhatcve
redhatcve
CVE-2006-5974
2015-10-30 09:27:09
centos
centos
fetchmail security update
2007-01-31 18:34:21
fetchmail, fetchmailconf security update
2007-01-31 22:51:28
redhat
redhat
(RHSA-2007:0018) Moderate: fetchmail security update
2007-01-31 00:00:00
oraclelinux
oraclelinux
Moderate: fetchmail security update
2007-02-01 00:00:00

0.131 Low

EPSS

Percentile

95.5%

JSON
Related for GLSA-200701-13
openvas21nessus15slackware1fedora2altlinux1suse1ubuntucve2freebsd2debiancve2securityvulns2cve2debian1ubuntu1redhatcve1centos2redhat1oraclelinux1