Bug 1224188 - fetchmail: fix for CVE-2021-36386 introduces regression
Summary: fetchmail: fix for CVE-2021-36386 introduces regression
Status: IN_PROGRESS
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: David Anes
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/405003/
Whiteboard:
Keywords:
Depends on: CVE-2021-36386
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-13 17:31 UTC by Camila Camargo de Matos
Modified: 2024-07-04 12:47 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Camila Camargo de Matos 2024-05-13 17:31:36 UTC 
Bug #1188875 is currently tracking information on CVE-2021-36386, related to package fetchmail.

The fix for the vulnerability described by this CVE has been applied to all affected codestreams and package fetchmail is no longer vulnerable in any codestream that contains it.

However, further analysis of package files in fixed codestreams, together with the analysis of the upstream repository, has led us to identify that the fix also introduces a regression (as seen in upstream's Changelog file [0]), this regression being addressed in version 6.4.21 of fetchmail.

Some codestreams fixed for CVE-2021-36386 contain both the vulnerability fix and a fix for the regression, but other codestreams are missing the regression fix.
I am, therefore, opening this bug so that this issue can be properly tracked.

Affected packages are as follows:
- SUSE:SLE-11:Update/fetchmail
- SUSE:SLE-12:Update/fetchmail

[0] https://gitlab.com/fetchmail/fetchmail/-/blob/legacy_64/NEWS#L446
Comment 1 Marcus Meissner 2024-05-14 07:04:49 UTC 
(sle11 is reactive only, no fix needed anymore)