Gentoo Linux Security Advisory 201006-12 - Multiple vulnerabilities have been reported in Fetchmail, allowing remote attackers to execute arbitrary code or to conduct Man-in-the-Middle attacks. Versions less than 6.3.14 are affected.
673e4aabeca54c4f6f8eb89a2119f7e035d028ee5801f0d90caec3696f7ba79a
Mandriva Linux Security Advisory 2009-201 - socket.c in fetchmail before 6.3.11 does not properly handle a '\\0' (NUL) character in a domain name in the subject's Common Name (CN) and subjectAlt(ernative)Name fields of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This update provides a solution to this vulnerability. Packages for 2008.0 are being provided due to extended support for Corporate products.
4aba094aed5936c7ea5deea95cdcd8b2b4f9927a8b2c97e80c7ef02c3672c820
Ubuntu Security Notice USN-816-1 - Moxie Marlinspike discovered that fetchmail did not properly handle certificates with NULL characters in the certificate name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
f84db5283372ab8ae42ba4dff0f41857f47a11217c3e188b9ac25bc8e7124c00
Mandriva Linux Security Advisory 2009-201 - socket.c in fetchmail before 6.3.11 does not properly handle a '\\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This update provides a solution to this vulnerability.
62d87310d1b7c54e45458614ca4c8fb88bc2d0ec7cd3071189a4242f8e2c8506
Debian Security Advisory 1852-1 - It was discovered that fetchmail, a full-featured remote mail retrieval and forwarding utility, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" recently published at the Blackhat conference. This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X.509 certificate with an injected null byte in the subjectAltName or Common Name fields.
b2c279e9428381b4b79febdf015211782d03ec298a3ff8b389cda567f086028b
Fetchmail versions 6.3.10 and below suffer from an improper SSL certificate subject verification vulnerability.
ce7096d8ac83ac8f9f069b1910a6aa91898577d3165d040410eeb7f62efaf3fc