VulnerableCode Package Details - pkg:deb/debian/fetchmail@6.3.9~rc2-4%2Blenny2

Search for packages

Vulnerability	Summary	Fixed by
VCID-7zga-35jt-h3d9 Aliases: CVE-2009-2666		6.3.18-2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-a1n2-j65b-uubu Aliases: CVE-2010-1167	fetchmail: denial of service in debug mode with multichar locales	6.3.18-2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-d2yz-37rb-jkct Aliases: CVE-2012-3482	fetchmail: DoS (crash) in the base64 decoder upon server NTLM protocol exchange abort right after the initial request	6.3.26-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-djfg-pkur-xbf7 Aliases: CVE-2021-36386	report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.	6.4.16-4+deb11u1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fa4k-7efq-7bh4 Aliases: CVE-2010-0562	fetchmail: (verbose mode) Heap overflow by formating byte string into its printable representation	6.3.18-2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y9he-nhhy-jbhs Aliases: CVE-2011-1947	fetchmail: Application hang due unguarded blocking I/O in IMAP/POP3 STARTTLS initialization (fetchmail-SA-2011-01)	6.3.26-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7zga-35jt-h3d9
Aliases:
CVE-2009-2666

6.3.18-2
Affected by 3 other vulnerabilities.

VCID-a1n2-j65b-uubu
Aliases:
CVE-2010-1167

fetchmail: denial of service in debug mode with multichar locales

6.3.18-2
Affected by 3 other vulnerabilities.

VCID-d2yz-37rb-jkct
Aliases:
CVE-2012-3482

fetchmail: DoS (crash) in the base64 decoder upon server NTLM protocol exchange abort right after the initial request

6.3.26-1
Affected by 1 other vulnerability.

VCID-djfg-pkur-xbf7
Aliases:
CVE-2021-36386

report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages. NOTE: it is unclear whether use of Fetchmail on any realistic platform results in an impact beyond an inconvenience to the client user.

6.4.16-4+deb11u1
Affected by 1 other vulnerability.

VCID-fa4k-7efq-7bh4
Aliases:
CVE-2010-0562

fetchmail: (verbose mode) Heap overflow by formating byte string into its printable representation

6.3.18-2
Affected by 3 other vulnerabilities.

VCID-y9he-nhhy-jbhs
Aliases:
CVE-2011-1947

fetchmail: Application hang due unguarded blocking I/O in IMAP/POP3 STARTTLS initialization (fetchmail-SA-2011-01)

6.3.26-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-13kz-a8m4-huht	Gaëtan Leurent informed us of a weakness in APOP authentication that could allow an attacker to recover the first part of your mail password if the attacker could interpose a malicious mail server on your network masquerading as your legitimate mail server. With normal settings it could take several hours for the attacker to gather enough data to recover just a few characters of the password. This result was presented at the Fast Software Encryption 2007 conference.In a rump session at the same conference a team from The University of Electro-Communications claimed that a variant on the same hash-collision attack allowed them to recover a 31 character password.Fixed versions of Thunderbird and SeaMonkey mail prevent this technique by stricter enforcement of the Message-ID format used by APOP.POP mail accounts which do not use any authentication are common and in the same hypothetical situation the password could be recovered immediately without any special programming on the attacker's part.	CVE-2007-1558
VCID-bz7t-m2xq-n7bc	fetchmail: Crash in large log messages in verbose mode	CVE-2008-2711
VCID-pku9-d5f9-aqhe		CVE-2007-4565

Vulnerability

Summary

Aliases

VCID-13kz-a8m4-huht

Gaëtan Leurent informed us of a weakness in APOP authentication that could allow an attacker to recover the first part of your mail password if the attacker could interpose a malicious mail server on your network masquerading as your legitimate mail server. With normal settings it could take several hours for the attacker to gather enough data to recover just a few characters of the password. This result was presented at the Fast Software Encryption 2007 conference.In a rump session at the same conference a team from The University of Electro-Communications claimed that a variant on the same hash-collision attack allowed them to recover a 31 character password.Fixed versions of Thunderbird and SeaMonkey mail prevent this technique by stricter enforcement of the Message-ID format used by APOP.POP mail accounts which do not use any authentication are common and in the same hypothetical situation the password could be recovered immediately without any special programming on the attacker's part.

CVE-2007-1558

VCID-bz7t-m2xq-n7bc

fetchmail: Crash in large log messages in verbose mode

CVE-2008-2711

VCID-pku9-d5f9-aqhe

CVE-2007-4565

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:21:48.000503+00:00	Debian Oval Importer	Fixing	VCID-bz7t-m2xq-n7bc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:03:30.508202+00:00	Debian Oval Importer	Affected by	VCID-a1n2-j65b-uubu	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:52:44.670694+00:00	Debian Oval Importer	Fixing	VCID-13kz-a8m4-huht	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T17:18:37.362457+00:00	Debian Oval Importer	Affected by	VCID-fa4k-7efq-7bh4	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:17:37.153416+00:00	Debian Oval Importer	Affected by	VCID-djfg-pkur-xbf7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T14:09:59.725835+00:00	Debian Oval Importer	Affected by	VCID-d2yz-37rb-jkct	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:57:20.771462+00:00	Debian Oval Importer	Affected by	VCID-7zga-35jt-h3d9	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:38:16.035621+00:00	Debian Oval Importer	Fixing	VCID-pku9-d5f9-aqhe	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:15:23.647521+00:00	Debian Oval Importer	Affected by	VCID-y9he-nhhy-jbhs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0