Bug 1224188

Summary: fetchmail: fix for CVE-2021-36386 introduces regression
Product: [Novell Products] SUSE Security Incidents Reporter: Camila Camargo de Matos <camila.matos>
Component: IncidentsAssignee: David Anes <david.anes>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/405003/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1188875    
Bug Blocks:    

Description Camila Camargo de Matos 2024-05-13 17:31:36 UTC 
Bug #1188875 is currently tracking information on CVE-2021-36386, related to package fetchmail.

The fix for the vulnerability described by this CVE has been applied to all affected codestreams and package fetchmail is no longer vulnerable in any codestream that contains it.

However, further analysis of package files in fixed codestreams, together with the analysis of the upstream repository, has led us to identify that the fix also introduces a regression (as seen in upstream's Changelog file [0]), this regression being addressed in version 6.4.21 of fetchmail.

Some codestreams fixed for CVE-2021-36386 contain both the vulnerability fix and a fix for the regression, but other codestreams are missing the regression fix.
I am, therefore, opening this bug so that this issue can be properly tracked.

Affected packages are as follows:
- SUSE:SLE-11:Update/fetchmail
- SUSE:SLE-12:Update/fetchmail

[0] https://gitlab.com/fetchmail/fetchmail/-/blob/legacy_64/NEWS#L446
Comment 1 Marcus Meissner 2024-05-14 07:04:49 UTC 
(sle11 is reactive only, no fix needed anymore)