17 results (0.005 seconds)

CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0

CVE-2021-39272 – fetchmail: STARTTLS session encryption bypassing

https://notcve.org/view.php?id=CVE-2021-39272

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. Fetchmail versiones anteriores a 6.4.22, no puede aplicar el cifrado de sesión STARTTLS en determinadas circunstancias, como una situación con IMAP y PREAUTH. • http://www.openwall.com/lists/oss-security/2021/08/27/3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XJ6XLEJCEZCAM5LGGD6XBCC522QLG4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXMKSEHAQSEDCWZMAOJEGX3P3JW6QY6H https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYCYLL73NP7ALJWSDICIVSA47ZIXWSSA https://nostarttls.secvuln.info https://security.gentoo.org/glsa/202209-14 https://www.fetchmail.info • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-36386 – fetchmail: DoS or information disclosure when logging long messages

https://notcve.org/view.php?id=CVE-2021-36386

report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user. Una función report_vbuild en el archivo report.c en Fetchmail versiones anteriores a 6.4.20, a veces omite la inicialización del argumento vsnprintf va_list, lo que podría permitir a servidores de correo causar una denegación de servicio o posiblemente tener otro impacto no especificado por medio de largos mensajes de error. NOTA: no está claro si el uso de Fetchmail en cualquier plataforma realista presenta un impacto más allá de un inconveniente para el usuario cliente A flaw was found in fetchmail. The flaw lies in how fetchmail when running in verbose mode using the -v flag tries to log long messages that are created from long headers. • http://www.openwall.com/lists/oss-security/2021/07/28/5 http://www.openwall.com/lists/oss-security/2021/08/09/1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGYO5AHSXTCKA4NQC2Z4H3XMMYNAGC77 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OIXKO6QW3AUHGJVWKJXBCOVBYJUJRBFC https://security.gentoo.org/glsa/202209-14 https://www.fetchmail.info/fetchmail-SA-2021-01.txt https://www.fetchmail.info/security.html https:/ • CWE-665: Improper Initialization CWE-909: Missing Initialization of Resource •

CVSS: 5.8EPSS: 0%CPEs: 93EXPL: 0

CVE-2012-3482

https://notcve.org/view.php?id=CVE-2012-3482

Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read. Fetchmail v5.0.8 hasta v6.3.21, cuando se utiliza la autenticación NTLM en modo de depuración, permite a servidores remotos NTLM (1) causar una denegación de servicio (caída y retraso en la entrega de correo entrante) a través de una respuesta NTLM manipulada que desencadena una lectura fuera de limites en el decodificador base64, o (2) obtener información confidencial de la memoria a través de un mensaje tipo NTLM 2 con una estructura Target Name modificada, lo que desencadena una lectura fuera de limites. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/088836.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/088871.html http://seclists.org/oss-sec/2012/q3/230 http://seclists.org/oss-sec/2012/q3/232 http://www.fetchmail.info/fetchmail-SA-2012-02.txt http://www.securityfocus.com/bid/54987 https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail •

CVSS: 4.3EPSS: 1%CPEs: 112EXPL: 0

CVE-2010-1167

https://notcve.org/view.php?id=CVE-2010-1167

fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. fetchmail v4.6.3 hasta v6.3.16, cuando el modo depuración está activo, no maneja de forma adecuada los caracteres inválidos en un multicaracter locale, lo que permite a atacantes provocar una denegación de servicio (consumo de memoria y caída de aplicación) a través de (1) cabecera de mensaje manipulada o (2) lista POP3 UIDL manipulada. • http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17512 http://www.fetchmail.info/fetchmail-SA-2010-02.txt http://www.mandriva.com/security/advisories?name=MDVSA-2011:107 http://www.securityfocus.com/archive/1/511140/100/0/threaded http://www.securityfocus.com/bid/39556 • CWE-20: Improper Input Validation •

CVSS: 6.4EPSS: 0%CPEs: 117EXPL: 0

CVE-2009-2666 – fetchmail: SSL null terminator bypass

https://notcve.org/view.php?id=CVE-2009-2666

socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. socket.c en fetchmail antes de v6.3.11 no maneja correctamente un caracter '\ 0' en el nombre de dominio en el campo Common Name (CN) de un certificado X.509, lo cual permite a atacacantes hombre-en-el-medio (man-in-the-middle) suplantar servidores SSL a su elección a través de certificados manipulados expedidos por una Autoridad de Certificación (CA) legítima, una cuestión relacionada con CVE-2009-2408. • http://fetchmail.berlios.de/fetchmail-SA-2009-01.txt http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://marc.info/?l=oss-security&m=124949601207156&w=2 http://osvdb.org/56855 http://secunia.com/advisories/36175 http://secunia.com/advisories/36179 http://secunia.com/advisories/36236 http://support.apple.com/kb/HT3937 http://www.debian.org/security/2009/dsa-1852 http://www.mandriva.com/security/advisories?name=MDVSA-2009:201 http://www • CWE-310: Cryptographic Issues •