fetchmail-6.4.24-1.el8.ML.1

Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

Install fetchmail if you need to retrieve mail over SLIP or PPP connections.

Security Fix(es):

* fetchmail: DoS or information disclosure when logging long messages
(CVE-2021-36386)
* fetchmail: STARTTLS session encryption bypassing (CVE-2021-39272)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Additional Changes:

Update the version to 6.4.24-1.el8.ML.1.

CVE-2021-36386
report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits
initialization of the vsnprintf va_list argument, which might allow mail servers
to cause a denial of service or possibly have unspecified other impact via long
error messages. NOTE: it is unclear whether use of Fetchmail on any realistic
platform results in an impact beyond an inconvenience to the client user.
CVE-2021-39272
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some
circumstances, such as a certain situation with IMAP and PREAUTH.