Sync fetchmail 6.4.22-1 from Debian for Impish
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fetchmail (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Ubuntu Impish is carrying fetchmail 6.4.16-5 presently. Fetchmail versions 6.4.17, .18, .19, .20, and .21 were small, focused bugfix-only releases. Four of these fixes were already backported to 6.4.16 by Debian, but there are also some lesser fixes to fetchmailconf and updates to man pages and other documentation.
Debian currently carries the latest fetchmail as version 6.4.22-1 in unstable. This is also a bugfix-focused release but with more fixes than the previous versions. Of particular note is a security fix for CVE-2021-39272, which introduces some functional changes to the handling of STARTTLS with --ssl/-sslproto options, and tweaks behavior in some other use cases. A number of other behavior changes listed in the 6.4.22 changelog sound related, either inspired by or motivated by the security fix.
While there are no new features included in these releases, the aforementioned security fix seems like it could impact user installations in a way that would be difficult to justify as an SRU update. For this reason, I think it's best to introduce this update now prior to Impish's release, and sync 6.4.22-1 from Debian.
* CVE-2021-39272: fetchmail-
--ssl and with nonempty --sslproto, meaning that fetchmail is to
enforce TLS, and when the server or an attacker sends a PREAUTH
greeting, fetchmail used to continue an unencrypted connection.
Now, log the error and abort the connection.
--Recommendation for servers that support SSL/TLS-wrapped or
"implicit" mode on a dedicated port (default 993): use --ssl,
or the ssl user option in an rcfile.
https:/
CVE References
description: | updated |
description: | updated |
This bug was fixed in the package fetchmail - 6.4.22-1
---------------
fetchmail (6.4.22-1) unstable; urgency=high
* New upstream release:
- fix CVE-2021-39272: fail to enforce STARTTLS session encryption in
some circumstances (closes: #993163).
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 15 Sep 2021 19:04:31 +0200
fetchmail (6.4.21-1) unstable; urgency=medium
* New upstream release.
* Fix envelope segmentation fault (closes: #992400).
-- Laszlo Boszormenyi (GCS) <email address hidden> Wed, 18 Aug 2021 20:00:28 +0200