CVE-2021-39272 log

Source
Severity Medium
Remote Yes
Type Information disclosure
Description
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
Group Package Affected Fixed Severity Status Ticket
AVG-2326 fetchmail 6.4.21-1 6.4.22-1 Medium Fixed
References
https://www.fetchmail.info/fetchmail-SA-2021-02.txt
https://sourceforge.net/p/fetchmail/git/ci/3837f0e2e42b43c69b46d240adcbbe3a2c68ce95/
Notes
Workaround
==========

Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.

Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.