Debian Bug report logs -
#993163
fetchmail: CVE-2021-39272
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 28 Aug 2021 08:27:01 UTC
Severity: important
Tags: security, upstream
Found in versions fetchmail/6.4.0~beta4-3+deb10u1, fetchmail/6.4.16-4, fetchmail/6.4.21-1, fetchmail/6.4.0~beta4-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#993163; Package src:fetchmail.
(Sat, 28 Aug 2021 08:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 28 Aug 2021 08:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: fetchmail
Version: 6.4.21-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 6.4.16-4
Control: found -1 6.4.0~beta4-3+deb10u1
Control: found -1 6.4.0~beta4-1
Hi,
The following vulnerability was published for fetchmail.
CVE-2021-39272[0]:
| TLS bypass vulnerabilities ("NO STARTTLS")
Note I think this does not warrant a DSA. But if cherry-picking
changes for bullseye and buster, as per [1] proabably should pick as
well the documentation updates with the updated recommendations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-39272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39272
[1] https://www.fetchmail.info/fetchmail-SA-2021-02.txt
Regards,
Salvatore
Marked as found in versions fetchmail/6.4.16-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 28 Aug 2021 08:27:04 GMT) (full text, mbox, link).
Marked as found in versions fetchmail/6.4.0~beta4-3+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 28 Aug 2021 08:27:04 GMT) (full text, mbox, link).
Marked as found in versions fetchmail/6.4.0~beta4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 28 Aug 2021 08:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#993163; Package src:fetchmail.
(Sat, 28 Aug 2021 09:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Andree <matthias.andree@gmx.de>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 28 Aug 2021 09:27:03 GMT) (full text, mbox, link).
Message #16 received at 993163@bugs.debian.org (full text, mbox, reply):
Just a word of warning, this isn't your pick three git commits with
trivial fixes - the backport will require proper testing, too, and it
will require some of the 42 patches since fetchmail 6.4.21 that are NOT
marked SECURITY - for instance, 74771392 and 616e8c70, and translation
updates as they are now trickling in, and documentation updates that
suggest limiting TLS to TLS1.2+, so anything that looks like SSL or TLS
documentation update.
Feel free to ask simple "do I need commit c0decafe to fix this CVE"
questions on the fetchmail-devel@ list for the benefit of other
distributors backporting.
Note that there was a lot of drive-by bugfixing that also warrants
updating independent of the CVE.
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#993163; Package src:fetchmail.
(Sat, 28 Aug 2021 10:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 28 Aug 2021 10:15:02 GMT) (full text, mbox, link).
Message #21 received at 993163@bugs.debian.org (full text, mbox, reply):
Hi Matthias,
On Sat, Aug 28, 2021 at 11:27 AM Matthias Andree <matthias.andree@gmx.de> wrote:
> Just a word of warning, this isn't your pick three git commits with
> trivial fixes - the backport will require proper testing, too, and it
> will require some of the 42 patches since fetchmail 6.4.21 that are NOT
> marked SECURITY - for instance, 74771392 and 616e8c70, and translation
> updates as they are now trickling in, and documentation updates that
> suggest limiting TLS to TLS1.2+, so anything that looks like SSL or TLS
> documentation update.
[...]
> Note that there was a lot of drive-by bugfixing that also warrants
> updating independent of the CVE.
You are kind of a mind reader. There are several important commits to
backport and I'm not sure it is worth testing if all backported ones
are in place and properly fix all security issues. I think it's much
better to make a full package update.
Ie, put 6.4.22 to Bullseye instead of the 6.4.16 version. For the
first look, I didn't see any change that might be unintended for a
stable update.
Thanks for your follow up!
Laszlo/GCS
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Aug 29 16:19:53 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon