rpm package

opensuse/fetchmail&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/fetchmail&distro=openSUSE%20Tumbleweed

Vulnerabilities (13)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-61962	Med	5.9	< 6.5.6-1.1	6.5.6-1.1	Oct 4, 2025	In fetchmail before 6.5.6, the SMTP client can crash when authenticating upon receiving a 334 status code in a malformed context.
CVE-2021-39272		—	< 6.4.22-1.1	6.4.22-1.1	Aug 30, 2021	Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2021-36386		—	< 6.4.21-2.1	6.4.21-2.1	Jul 29, 2021	report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of
CVE-2012-3482		—	< 6.3.26-13.4	6.3.26-13.4	Dec 21, 2012	Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obt
CVE-2011-3389		—	< 6.3.26-13.4	6.3.26-13.4	Sep 6, 2011	The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob
CVE-2011-1947		—	< 6.3.26-13.4	6.3.26-13.4	Jun 2, 2011	fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.
CVE-2010-1167		—	< 6.3.26-13.4	6.3.26-13.4	May 7, 2010	fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3
CVE-2009-2666		—	< 6.3.26-13.4	6.3.26-13.4	Aug 7, 2009	socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate
CVE-2007-4565		—	< 6.4.21-2.1	6.4.21-2.1	Aug 28, 2007	sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
CVE-2007-1558		—	< 6.4.21-2.1	6.4.21-2.1	Apr 16, 2007	The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1
CVE-2006-5974		—	< 6.4.21-2.1	6.4.21-2.1	Dec 31, 2006	fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions.
CVE-2006-5867		—	< 6.4.21-2.1	6.4.21-2.1	Dec 31, 2006	fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.
CVE-2006-0321		—	< 6.4.21-2.1	6.4.21-2.1	Jan 24, 2006	fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster.

CVE-2025-61962MedOct 4, 2025
affected < 6.5.6-1.1fixed 6.5.6-1.1
In fetchmail before 6.5.6, the SMTP client can crash when authenticating upon receiving a 334 status code in a malformed context.
CVE-2021-39272Aug 30, 2021
affected < 6.4.22-1.1fixed 6.4.22-1.1
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.
CVE-2021-36386Jul 29, 2021
affected < 6.4.21-2.1fixed 6.4.21-2.1
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of
CVE-2012-3482Dec 21, 2012
affected < 6.3.26-13.4fixed 6.3.26-13.4
Fetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obt
CVE-2011-3389Sep 6, 2011
affected < 6.3.26-13.4fixed 6.3.26-13.4
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to ob
CVE-2011-1947Jun 2, 2011
affected < 6.3.26-13.4fixed 6.3.26-13.4
fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets.
CVE-2010-1167May 7, 2010
affected < 6.3.26-13.4fixed 6.3.26-13.4
fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3
CVE-2009-2666Aug 7, 2009
affected < 6.3.26-13.4fixed 6.3.26-13.4
socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate
CVE-2007-4565Aug 28, 2007
affected < 6.4.21-2.1fixed 6.4.21-2.1
sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.
CVE-2007-1558Apr 16, 2007
affected < 6.4.21-2.1fixed 6.4.21-2.1
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1
CVE-2006-5974Dec 31, 2006
affected < 6.4.21-2.1fixed 6.4.21-2.1
fetchmail 6.3.5 and 6.3.6 before 6.3.6-rc4, when refusing a message delivered via the mda option, allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the (1) ferror or (2) fflush functions.
CVE-2006-5867Dec 31, 2006
affected < 6.4.21-2.1fixed 6.4.21-2.1
fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.
CVE-2006-0321Jan 24, 2006
affected < 6.4.21-2.1fixed 6.4.21-2.1
fetchmail 6.3.0 and other versions before 6.3.2 allows remote attackers to cause a denial of service (crash) via crafted e-mail messages that cause a free of an invalid pointer when fetchmail bounces the message to the originator or local postmaster.