Multiple vulnerabilities have been reported in Fetchmail, allowing remote attackers to execute arbitrary code or to conduct Man-in-the-Middle attacks.
|Package||net-mail/fetchmail on all architectures|
|Affected versions||< 6.3.14|
|Unaffected versions||>= 6.3.14|
Fetchmail is a remote mail retrieval and forwarding utility.
Multiple vulnerabilities have been reported in Fetchmail:
A remote attacker could entice a user to connect with Fetchmail to a specially crafted SSL-enabled server in verbose mode, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. NOTE: The issue is only existent on platforms on which char is signed.
Furthermore, a remote attacker might employ a specially crafted X.509 certificate, containing a NUL character in the Common Name field to conduct man-in-the-middle attacks on SSL connections made using Fetchmail.
There is no known workaround at this time.
All Fetchmail users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.3.14"