CVE-2021-39272 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Information disclosure
Description	Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2326	fetchmail	6.4.21-1	6.4.22-1	Medium	Fixed

References
https://www.fetchmail.info/fetchmail-SA-2021-02.txt https://sourceforge.net/p/fetchmail/git/ci/3837f0e2e42b43c69b46d240adcbbe3a2c68ce95/

Notes
Workaround ========== Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange. Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.

Notes

Workaround
==========

Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.

Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.