CVE-2021-39272 log

Severity Medium
Remote Yes
Type Information disclosure
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
Group Package Affected Fixed Severity Status Ticket
AVG-2326 fetchmail 6.4.21-1 6.4.22-1 Medium Fixed

Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.

Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.