Summary
Detail | |||
---|---|---|---|
Vendor | Fetchmail | First view | 2001-02-12 |
Product | Fetchmail | Last view | 2021-08-30 |
Version | Type | ||
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
Date | Alert | Description | |
---|---|---|---|
5.9 | 2021-08-30 | CVE-2021-39272 | Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. |
7.5 | 2021-07-30 | CVE-2021-36386 | report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user. |
5.8 | 2012-12-21 | CVE-2012-3482 | Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read. |
5 | 2011-06-02 | CVE-2011-1947 | fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. |
4.3 | 2010-05-07 | CVE-2010-1167 | fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. |
6.8 | 2010-02-08 | CVE-2010-0562 | The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping. |
6.4 | 2009-08-07 | CVE-2009-2666 | socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
4.3 | 2008-06-16 | CVE-2008-2711 | fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages. |
5 | 2007-08-27 | CVE-2007-4565 | sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP. |
7.8 | 2006-12-31 | CVE-2006-5974 | fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions. |
7.8 | 2006-12-31 | CVE-2006-5867 | fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks. |
5 | 2006-01-23 | CVE-2006-0321 | fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster. |
7.8 | 2005-12-20 | CVE-2005-4348 | fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers. |
2.1 | 2005-10-27 | CVE-2005-3088 | fetchmailconf before 1.49 in fetchmail 6.2.0, 6.2.5 and 6.2.5.2 creates configuration files with insecure world-readable permissions, which allows local users to obtain sensitive information such as passwords. |
5 | 2005-07-27 | CVE-2005-2335 | Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. |
5 | 2003-11-17 | CVE-2003-0792 | Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email. |
7.5 | 2002-12-23 | CVE-2002-1365 | Heap-based buffer overflow in Fetchmail 6.1.3 and earlier does not account for the "@" character when determining buffer lengths for local addresses, which allows remote attackers to execute arbitrary code via a header with a large number of local addresses. |
5 | 2002-10-11 | CVE-2002-1175 | The getmxrecord function in Fetchmail 6.0.0 and earlier does not properly check the boundary of a particular malformed DNS packet from a malicious DNS server, which allows remote attackers to cause a denial of service (crash) when Fetchmail attempts to read data beyond the expected boundary. |
7.5 | 2002-10-11 | CVE-2002-1174 | Buffer overflows in Fetchmail 6.0.0 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) long headers that are not properly processed by the readheaders function, or (2) via long Received: headers, which are not properly parsed by the parse_received function. |
5 | 2002-06-25 | CVE-2002-0146 | fetchmail email client before 5.9.10 does not properly limit the maximum number of messages available, which allows a remote IMAP server to overwrite memory via a message count that exceeds the boundaries of an array. |
7.5 | 2001-12-06 | CVE-2001-0819 | A buffer overflow in Linux fetchmail before 5.8.6 allows remote attackers to execute arbitrary code via a large 'To:' field in an email header. |
2.1 | 2001-09-06 | CVE-2001-1378 | fetchmailconf in fetchmail before 5.7.4 allows local users to overwrite files of other users via a symlink attack on temporary files. |
10 | 2001-08-31 | CVE-2001-1009 | Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request. |
10 | 2001-02-12 | CVE-2001-0101 | Vulnerability in fetchmail 5.5.0-2 and earlier in the AUTHENTICATE GSSAPI command. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
35% (7) | CWE-20 | Improper Input Validation |
25% (5) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
15% (3) | CWE-399 | Resource Management Errors |
5% (1) | CWE-319 | Cleartext Transmission of Sensitive Information |
5% (1) | CWE-310 | Cryptographic Issues |
5% (1) | CWE-264 | Permissions, Privileges, and Access Controls |
5% (1) | CWE-200 | Information Exposure |
5% (1) | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
CAPEC : Common Attack Pattern Enumeration & Classification
id | Name |
---|---|
CAPEC-100 | Overflow Buffers |
CAPEC-119 | Resource Depletion |
CAPEC-123 | Buffer Attacks |
Oval Markup Language : Definitions
OvalID | Name |
---|---|
oval:org.mitre.oval:def:8833 | Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote ... |
oval:org.mitre.oval:def:1124 | RHE4 Fetchmail Buffer Overflow via Long UIDL Responses |
oval:org.mitre.oval:def:1038 | RHE3 Fetchmail Buffer Overflow via Long UIDL Responses |
oval:org.mitre.oval:def:9659 | fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode... |
oval:org.mitre.oval:def:10566 | fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cle... |
oval:org.mitre.oval:def:20221 | DSA-1377-2 fetchmail - null pointer dereference |
oval:org.mitre.oval:def:17131 | USN-520-1 -- fetchmail vulnerabilities |
oval:org.mitre.oval:def:10528 | sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause ... |
oval:org.mitre.oval:def:10950 | fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows... |
oval:org.mitre.oval:def:13893 | USN-816-1 -- fetchmail vulnerability |
oval:org.mitre.oval:def:11059 | socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character... |
oval:org.mitre.oval:def:22871 | ELSA-2009:1427: fetchmail security update (Moderate) |
oval:org.mitre.oval:def:29379 | RHSA-2009:1427 -- fetchmail security update (Moderate) |
Open Source Vulnerability Database (OSVDB)
id | Description |
---|---|
74824 | fetchmail STARTTLS / STLS Request Acknowledgement Wait Time Limit Remote DoS |
64795 | fetchmail Multi-character Locale Invalid Character Remote DoS |
62114 | fetchmail X.509 Certificate Printing sdump.c sdump() Function Overflow |
56855 | Fetchmail X.509 Certificate Authority (CA) Common Name Null Byte Handling SSL... |
46304 | Fetchmail Large Header Verbose Printing DoS |
45833 | Fetchmail SMTP Warning Message Refusal DoS |
31836 | Fetchmail mda Message Refusal DoS |
31580 | Fetchmail TLS Enforcement Cleartext Credential Disclosure |
22691 | Fetchmail Bounced Message DoS |
21906 | Fetchmail Multidrop Mode Headerless Message Remote DoS |
20267 | Fetchmail fetchmailconf Race Condition Password Disclosure |
18174 | Fetchmail UIDL POP3 Server Response Overflow |
10330 | Fetchmail POP3 Reply Negative Index Privilege Escalation |
10329 | Fetchmail IMAP Server Negative Index Privilege Escalation |
10328 | Fetchmail AUTHENTICATE GSSAPI Command Unspecified Issue |
5537 | Fetchmail Header To: Field Overflow |
5405 | Fetchmail Message Index Arbitrary File Overwrite |
4604 | Fetchmail readheaders Overflow |
4603 | Fetchmail parse_received Command Execution Overflow |
4602 | Fetchmail getmxrecord Overflow DoS |
4595 | Fetchmail IMAP Message Count Overflow |
4594 | Fetchmail @ Character Local Address Saturation Overflow |
2699 | Fetchmail Email Long Line Handling DoS |
OpenVAS Exploits
id | Description |
---|---|
2012-10-03 | Name : Fedora Update for fetchmail FEDORA-2012-14451 File : nvt/gb_fedora_2012_14451_fetchmail_fc17.nasl |
2012-10-03 | Name : Fedora Update for fetchmail FEDORA-2012-14462 File : nvt/gb_fedora_2012_14462_fetchmail_fc16.nasl |
2012-09-10 | Name : Slackware Advisory SSA:2011-171-01 fetchmail File : nvt/esoft_slk_ssa_2011_171_01.nasl |
2012-09-04 | Name : Mandriva Update for fetchmail MDVSA-2012:149 (fetchmail) File : nvt/gb_mandriva_MDVSA_2012_149.nasl |
2012-08-30 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail17.nasl |
2011-08-09 | Name : CentOS Update for fetchmail CESA-2009:1427 centos3 i386 File : nvt/gb_CESA-2009_1427_fetchmail_centos3_i386.nasl |
2011-08-09 | Name : CentOS Update for fetchmail CESA-2009:1427 centos4 i386 File : nvt/gb_CESA-2009_1427_fetchmail_centos4_i386.nasl |
2011-08-09 | Name : CentOS Update for fetchmail CESA-2009:1427 centos5 i386 File : nvt/gb_CESA-2009_1427_fetchmail_centos5_i386.nasl |
2011-08-03 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail15.nasl |
2011-07-12 | Name : Fedora Update for fetchmail FEDORA-2011-8011 File : nvt/gb_fedora_2011_8011_fetchmail_fc15.nasl |
2011-06-24 | Name : Fedora Update for fetchmail FEDORA-2011-8021 File : nvt/gb_fedora_2011_8021_fetchmail_fc14.nasl |
2011-06-24 | Name : Fedora Update for fetchmail FEDORA-2011-8059 File : nvt/gb_fedora_2011_8059_fetchmail_fc13.nasl |
2011-06-10 | Name : Mandriva Update for fetchmail MDVSA-2011:107 (fetchmail) File : nvt/gb_mandriva_MDVSA_2011_107.nasl |
2011-03-09 | Name : Gentoo Security Advisory GLSA 201006-12 (fetchmail) File : nvt/glsa_201006_12.nasl |
2010-05-12 | Name : Mac OS X 10.6.2 Update / Mac OS X Security Update 2009-006 File : nvt/macosx_upd_10_6_2_secupd_2009-006.nasl |
2010-05-12 | Name : Mac OS X Security Update 2009-001 File : nvt/macosx_secupd_2009-001.nasl |
2010-05-04 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail14.nasl |
2010-03-12 | Name : Fedora Update for fetchmail FEDORA-2010-3800 File : nvt/gb_fedora_2010_3800_fetchmail_fc12.nasl |
2010-02-19 | Name : Mandriva Update for fetchmail MDVSA-2010:037 (fetchmail) File : nvt/gb_mandriva_MDVSA_2010_037.nasl |
2010-02-18 | Name : FreeBSD Ports: fetchmail File : nvt/freebsd_fetchmail13.nasl |
2009-12-10 | Name : Mandriva Security Advisory MDVSA-2009:201-1 (fetchmail) File : nvt/mdksa_2009_201_1.nasl |
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-13 | Name : SLES10: Security update for fetchmail File : nvt/sles10_fetchmail.nasl |
2009-10-13 | Name : SLES10: Security update for fetchmail File : nvt/sles10_fetchmail0.nasl |
2009-10-11 | Name : SLES11: Security update for fetchmail File : nvt/sles11_fetchmail.nasl |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2016-03-25 | Name: The remote SUSE host is missing one or more security updates. File: suse_SU-2016-0872-1.nasl - Type: ACT_GATHER_INFO |
2015-01-19 | Name: The remote Solaris system is missing a security patch for third-party software. File: solaris11_fetchmail_20121016.nasl - Type: ACT_GATHER_INFO |
2013-09-04 | Name: The remote Amazon Linux AMI host is missing a security update. File: ala_ALAS-2012-132.nasl - Type: ACT_GATHER_INFO |
2013-07-12 | Name: The remote Oracle Linux host is missing a security update. File: oraclelinux_ELSA-2007-0018.nasl - Type: ACT_GATHER_INFO |
2013-07-12 | Name: The remote Oracle Linux host is missing a security update. File: oraclelinux_ELSA-2009-1427.nasl - Type: ACT_GATHER_INFO |
2013-04-20 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2013-037.nasl - Type: ACT_GATHER_INFO |
2012-10-03 | Name: The remote Fedora host is missing a security update. File: fedora_2012-14451.nasl - Type: ACT_GATHER_INFO |
2012-10-03 | Name: The remote Fedora host is missing a security update. File: fedora_2012-14462.nasl - Type: ACT_GATHER_INFO |
2012-09-06 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2012-149.nasl - Type: ACT_GATHER_INFO |
2012-08-15 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_83f9e943e66411e1a66d080027ef73ec.nasl - Type: ACT_GATHER_INFO |
2012-08-01 | Name: The remote Scientific Linux host is missing a security update. File: sl_20090908_fetchmail_on_SL3_x.nasl - Type: ACT_GATHER_INFO |
2011-06-22 | Name: The remote Fedora host is missing a security update. File: fedora_2011-8011.nasl - Type: ACT_GATHER_INFO |
2011-06-22 | Name: The remote Fedora host is missing a security update. File: fedora_2011-8021.nasl - Type: ACT_GATHER_INFO |
2011-06-22 | Name: The remote Fedora host is missing a security update. File: fedora_2011-8059.nasl - Type: ACT_GATHER_INFO |
2011-06-21 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2011-171-01.nasl - Type: ACT_GATHER_INFO |
2011-06-08 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2011-107.nasl - Type: ACT_GATHER_INFO |
2011-06-07 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_f7d838f2903911e0a051080027ef73ec.nasl - Type: ACT_GATHER_INFO |
2010-07-30 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2010-037.nasl - Type: ACT_GATHER_INFO |
2010-07-01 | Name: The remote Fedora host is missing a security update. File: fedora_2010-3800.nasl - Type: ACT_GATHER_INFO |
2010-06-02 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201006-12.nasl - Type: ACT_GATHER_INFO |
2010-05-17 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2010-136-01.nasl - Type: ACT_GATHER_INFO |
2010-04-21 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_09910d764c8211df83fb0015587e2cc1.nasl - Type: ACT_GATHER_INFO |
2010-02-24 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1852.nasl - Type: ACT_GATHER_INFO |
2010-02-19 | Name: The remote openSUSE host is missing a security update. File: suse_11_2_fetchmail-100216.nasl - Type: ACT_GATHER_INFO |
2010-02-15 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_2a6a966f177411dfb5c10026189baca3.nasl - Type: ACT_GATHER_INFO |