エラータID: AXSA:2022-3362:02

Release date: 
Monday, July 4, 2022 - 01:17
Affected Channels: 
Asianux Server 8 for x86_64

Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.

Install fetchmail if you need to retrieve mail over SLIP or PPP connections.

Security Fix(es):

* fetchmail: DoS or information disclosure when logging long messages
* fetchmail: STARTTLS session encryption bypassing (CVE-2021-39272)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Additional Changes:

Update the version to 6.4.24-1.el8.ML.1.

report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits
initialization of the vsnprintf va_list argument, which might allow mail servers
to cause a denial of service or possibly have unspecified other impact via long
error messages. NOTE: it is unclear whether use of Fetchmail on any realistic
platform results in an impact beyond an inconvenience to the client user.
Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some
circumstances, such as a certain situation with IMAP and PREAUTH.


Update packages.

Additional Info: 



  1. fetchmail-6.4.24-1.el8.ML.1.src.rpm
    MD5: c9ec11f8201d08ad6f3e4c4ce080ed16
    SHA-256: 2c3210489d38aee41405a92c5bc588711716c09a5822dfa0309dd05780cecb38
    Size: 1.30 MB

Asianux Server 8 for x86_64
  1. fetchmail-6.4.24-1.el8.ML.1.x86_64.rpm
    MD5: 2e7722264f0e9566dc564e7ccc23465b
    SHA-256: 86827a8e8ca36eb622972a4731f273f6abb6654f7aa145620f0194f69eca535c
    Size: 602.65 kB