29297 – fetchmail new security issue CVE-2021-36386

Bug 29297 - fetchmail new security issue CVE-2021-36386

Summary: fetchmail new security issue CVE-2021-36386

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-07-29 23:19 CEST by David Walser
Modified:	2021-08-06 11:35 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	fetchmail-6.4.8-5.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-07-29 23:19:02 CEST

Upstream has issued an advisory on July 28:
https://www.fetchmail.info/fetchmail-SA-2021-01.txt

The issue is fixed upstream in 6.4.20.

Mageia 8 is also affected.

David Walser 2021-07-29 23:20:14 CEST

Status comment: (none) => Fixed upstream in 6.4.20
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2021-07-30 20:18:58 CEST

No consistent committer for this, so assigning globally. CC'ing wally who touched it often in the past.

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa

Comment 2 Nicolas Lécureuil 2021-07-31 20:13:50 CEST

fixed in mga8/9

src:
    - fetchmail-6.4.8-4.1.mga8

Version: Cauldron => 8
Status comment: Fixed upstream in 6.4.20 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

Comment 3 David Walser 2021-07-31 20:50:58 CEST

fetchmail-6.4.8-4.1.mga8
fetchmailconf-6.4.8-4.1.mga8
fetchmail-daemon-6.4.8-4.1.mga8

from fetchmail-6.4.8-4.1.mga8.src.rpm

Comment 4 Herman Viaene 2021-08-02 15:07:03 CEST

MGA8-64 Plasma on Lenovo B50
No istallation issues.
$ fetchmailconf 
Gives fetchmaillauncher.
Lets me define my hotmail account and then in fetchmail run window:
7 messages for herman.viaene@hotmail.be op pop3.live.com (677810 bytes).
read message herman.viaene@hotmail.be@AMS-efz.ms-acdc.office.com:1 van 7 (91938 bytes) removed
....other 6 times
Done.
Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 5 Thomas Andrews 2021-08-06 03:09:42 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-08-06 11:02:53 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-08-06 11:35:14 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0391.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.