CVE-2021-39272 - log back

CVE-2021-39272 edited at 30 Aug 2021 10:22:29
Description
- Fetchmail before version 6.4.22 continues an unencrypted connection, thus reading unauthenticated input and sending information unencrypted over its transport.
+ Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2021-39272 edited at 27 Aug 2021 10:19:37
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Notes
Workaround
==========
- Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.
+ Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.
Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.
CVE-2021-39272 edited at 27 Aug 2021 10:18:50
Type
- Unknown
+ Information disclosure
Description
+ Fetchmail before version 6.4.22 continues an unencrypted connection, thus reading unauthenticated input and sending information unencrypted over its transport.
References
+ https://www.fetchmail.info/fetchmail-SA-2021-02.txt
+ https://sourceforge.net/p/fetchmail/git/ci/3837f0e2e42b43c69b46d240adcbbe3a2c68ce95/
Notes
+ Workaround
+ ==========
+
+ Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange.
+
+ Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode.
CVE-2021-39272 created at 27 Aug 2021 10:13:38