Several vulnerabilities have been discovered in getmail4, a mail retriever with support for POP3, IMAP4 and SDPS, that could allow man-in-the-middle attacks. CVE-2014-7273 The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate. CVE-2014-7274 The IMAP-over-SSL implementation in getmail 4.44.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate from a recognized Certification Authority. CVE-2014-7275 The POP3-over-SSL implementation in getmail 4.0.0 through 4.44.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof POP3 servers and obtain sensitive information via a crafted certificate.

For the stable distribution (wheezy), these problems have been fixed in version 4.46.0-1~deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 4.46.0-1. For the unstable distribution (sid), these problems have been fixed in version 4.46.0-1. We recommend that you upgrade your getmail4 packages.

getmail is intended as a simple replacement for fetchmail. It retrieves mail (either all messages, or only unread messages) from one or more POP3/IMAP4/SDPS servers for one or more email accounts, and reliably delivers into a qmail-style Maildir, mbox file or to a command (pipe delivery) like maildrop or procmail, specified on a per-account basis. getmail also has support for domain (multidrop) mailboxes.

getmail4 on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2014/dsa-3091.html

---

Updated on 2015-03-25