Public bug reported: Ubuntu Impish is carrying fetchmail 6.4.16-5 presently. Fetchmail versions 6.4.17, .18, .19, .20, and .21 were small, focused bugfix-only releases. Four of these fixes were already backported to 6.4.16 by Debian, but there are also some lesser fixes to fetchmailconf and updates to man pages and other documentation.
Debian currently carries the latest fetchmail as version 6.4.22-1 in unstable. This is also a bugfix-focused release but with more fixes than the previous versions. Of particular note is a security fix for CVE-2021-39272, which introduces some functional changes to the handling of STARTTLS with --ssl/-sslproto options, and tweaks behavior in some other use cases. A number of other behavior changes listed in the 6.4.22 changelog sound related, either inspired by or motivated by the security fix. While there are no new features included in these releases, the aforementioned security fix seems like it could impact user installations in a way that would be difficult to justify as an SRU update. For this reason, I think it's best to introduce this update now prior to Impish's release, and sync 6.4.22-1 from Debian. * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/NEWS ** Affects: fetchmail (Ubuntu) Importance: Undecided Status: New ** Description changed: Ubuntu Impish is carrying fetchmail 6.4.16-5 presently. Fetchmail versions 6.4.17, .18, .19, .20, and .21 were small, focused bugfix-only releases. Four of these fixes were already backported to 6.4.16 by Debian, but there are also some lesser fixes to fetchmailconf and updates to man pages and other documentation. Debian currently carries the latest fetchmail as version 6.4.22-1 in unstable. This is also a bugfix-focused release but with more fixes than the previous versions. Of particular note is a security fix for CVE-2021-39272, which introduces some functional changes to the handling of STARTTLS with --ssl/-sslproto options, and tweaks behavior in some other use cases. A number of other behavior changes listed in the 6.4.22 changelog sound related, either inspired by or motivated by the security fix. While there are no new features included in these releases, the aforementioned security fix seems like it could impact user installations in a way that would be difficult to justify as an SRU update. For this reason, I think it's best to introduce this update now prior to Impish's release, and sync 6.4.22-1 from Debian. + * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and + with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when + the server or an attacker sends a PREAUTH greeting, fetchmail used to continue + an unencrypted connection. Now, log the error and abort the connection. + --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on + a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. + https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/NEWS ** Description changed: Ubuntu Impish is carrying fetchmail 6.4.16-5 presently. Fetchmail versions 6.4.17, .18, .19, .20, and .21 were small, focused bugfix-only releases. Four of these fixes were already backported to 6.4.16 by Debian, but there are also some lesser fixes to fetchmailconf and updates to man pages and other documentation. Debian currently carries the latest fetchmail as version 6.4.22-1 in unstable. This is also a bugfix-focused release but with more fixes than the previous versions. Of particular note is a security fix for CVE-2021-39272, which introduces some functional changes to the handling of STARTTLS with --ssl/-sslproto options, and tweaks behavior in some other use cases. A number of other behavior changes listed in the 6.4.22 changelog sound related, either inspired by or motivated by the security fix. While there are no new features included in these releases, the aforementioned security fix seems like it could impact user installations in a way that would be difficult to justify as an SRU update. For this reason, I think it's best to introduce this update now prior to Impish's release, and sync 6.4.22-1 from Debian. - * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and - with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when - the server or an attacker sends a PREAUTH greeting, fetchmail used to continue - an unencrypted connection. Now, log the error and abort the connection. - --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on - a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. + * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without + --ssl and with nonempty --sslproto, meaning that fetchmail is to + enforce TLS, and when the server or an attacker sends a PREAUTH + greeting, fetchmail used to continue an unencrypted connection. + Now, log the error and abort the connection. + --Recommendation for servers that support SSL/TLS-wrapped or + "implicit" mode on a dedicated port (default 993): use --ssl, + or the ssl user option in an rcfile. https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/NEWS -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1945014 Title: Sync fetchmail 6.4.22-1 from Debian for Impish To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fetchmail/+bug/1945014/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
