First Last Prev Next    This bug is not in your last search results.
Bug 1190069 - (CVE-2021-39272) VUL-0: CVE-2021-39272: fetchmail: STARTTLS session encryption bypassing
(CVE-2021-39272)
VUL-0: CVE-2021-39272: fetchmail: STARTTLS session encryption bypassing
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/308490/
CVSSv3.1:SUSE:CVE-2021-39272:5.9:(AV:...
:
Depends on:
Blocks: NOSTARTTLS
  Show dependency treegraph
 
Reported: 2021-09-01 15:24 UTC by Gabriele Sonnu
Modified: 2022-09-30 13:43 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Proposed patch for SLE-15 and SLE-12 (41.35 KB, patch)
2021-10-08 11:01 UTC, Pedro Monreal Gonzalez 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gabriele Sonnu 2021-09-01 15:25:48 UTC 
Affected products:

- SUSE:SLE-11:Update/fetchmail    6.3.8.90
- SUSE:SLE-12:Update/fetchmail    6.3.26
- SUSE:SLE-15:Update/fetchmail    6.3.26
- openSUSE:Factory/fetchmail      6.4.21

Upstream released a new version (6.4.22rc3) that fixes the problem.

I extracted a list of related commit but probably is not enough to backport the fixes to older versions.
Please analyze the new version in order to create the patches.

- https://gitlab.com/fetchmail/fetchmail/-/commit/3837f0e2e42b43c69b46d240adcbbe3a2c68ce95

- https://gitlab.com/fetchmail/fetchmail/-/commit/8517491d8558e202a33294ac61f2268ef802f03f

- https://gitlab.com/fetchmail/fetchmail/-/commit/c78cc2fc202f6bb6b44412f9c35bf176261c25f1

- https://gitlab.com/fetchmail/fetchmail/-/commit/e7199006808bb19f58d232da02172ee820d2d83e

- https://gitlab.com/fetchmail/fetchmail/-/commit/b82c3ccb65e3279996a690ebf577263d7730e0b3
Comment 2 Pedro Monreal Gonzalez 2021-09-01 16:00:03 UTC 
I can see dozens of related commits since version 6.4.21 and the documentation should also be updated accordingly. I think we can update to version 6.4.22 once released, but if it takes too long we can use the RC3. The back-port might take some time and effort.
Comment 3 Marcus Meissner 2021-09-01 16:17:39 UTC 
i think we can also wait for the next release if its coming soon, in light together with the ECO update.
Comment 4 Pedro Monreal Gonzalez 2021-09-14 16:39:53 UTC 
I'll update Factory and SLE-15-SP4 to version 6.4.22 which has just been released:
  * https://sourceforge.net/projects/fetchmail/files/branch_6.4/
Comment 5 Pedro Monreal Gonzalez 2021-10-07 10:02:09 UTC 
Factory submission: https://build.opensuse.org/request/show/923570
Comment 6 Pedro Monreal Gonzalez 2021-10-08 11:01:01 UTC 
Created attachment 853020 [details]
Proposed patch for SLE-15 and SLE-12

For SLE-15 and SLE-12 this patch contains all the required changes.
Comment 10 Swamp Workflow Management 2021-10-20 19:30:10 UTC 
openSUSE-SU-2021:3493-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190069
CVE References: CVE-2021-39272
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    fetchmail-6.3.26-20.17.1
Comment 11 Swamp Workflow Management 2021-10-20 19:33:10 UTC 
SUSE-SU-2021:3493-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190069
CVE References: CVE-2021-39272
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    fetchmail-6.3.26-20.17.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    fetchmail-6.3.26-20.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    fetchmail-6.3.26-20.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    fetchmail-6.3.26-20.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-10-20 19:43:15 UTC 
SUSE-SU-2021:3492-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190069
CVE References: CVE-2021-39272
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    fetchmail-6.3.26-13.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-10-31 20:48:53 UTC 
openSUSE-SU-2021:1416-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1190069
CVE References: CVE-2021-39272
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    fetchmail-6.3.26-lp152.6.9.1
Comment 15 Swamp Workflow Management 2021-12-14 11:19:36 UTC 
openSUSE-SU-2021:4018-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available.

Category: security (moderate)
Bug References: 1152964,1174075,1181400,1188875,1190069,1190896
CVE References: CVE-2021-36386,CVE-2021-39272
JIRA References: SLE-17903,SLE-18059,SLE-18159
Sources used:
openSUSE Leap 15.3 (src):    fetchmail-6.4.22-20.20.1
Comment 16 Swamp Workflow Management 2021-12-14 11:24:40 UTC 
SUSE-SU-2021:4018-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available.

Category: security (moderate)
Bug References: 1152964,1174075,1181400,1188875,1190069,1190896
CVE References: CVE-2021-36386,CVE-2021-39272
JIRA References: SLE-17903,SLE-18059,SLE-18159
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Server for SAP 15 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Server 15-LTSS (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    fetchmail-6.4.22-20.20.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    fetchmail-6.4.22-20.20.1
SUSE Enterprise Storage 6 (src):    fetchmail-6.4.22-20.20.1
SUSE CaaS Platform 4.0 (src):    fetchmail-6.4.22-20.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-12-17 14:18:53 UTC 
openSUSE-SU-2021:1591-1: An update that solves two vulnerabilities, contains three features and has four fixes is now available.

Category: security (moderate)
Bug References: 1152964,1174075,1181400,1188875,1190069,1190896
CVE References: CVE-2021-36386,CVE-2021-39272
JIRA References: SLE-17903,SLE-18059,SLE-18159
Sources used:
openSUSE Leap 15.2 (src):    fetchmail-6.4.22-lp152.6.12.1
Comment 20 Robert Frohl 2022-08-25 07:41:44 UTC 
done, closing
Comment 21 Stoyan Manolov 2022-09-30 13:43:48 UTC 
done, closing
First Last Prev Next    This bug is not in your last search results.