CVE-2021-39272 log
Source |
|
Severity | Medium |
Remote | Yes |
Type | Information disclosure |
Description | Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. |
Group | Package | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|---|
AVG-2326 | fetchmail | 6.4.21-1 | 6.4.22-1 | Medium | Fixed |
References |
---|
https://www.fetchmail.info/fetchmail-SA-2021-02.txt https://sourceforge.net/p/fetchmail/git/ci/3837f0e2e42b43c69b46d240adcbbe3a2c68ce95/ |
Notes |
---|
Workaround ========== Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange. Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode. |