Advisories » MGASA-2025-0238

Updated fetchmail package fixes security vulnerability

Publication date: 14 Oct 2025
Modification date: 14 Oct 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-61962

Description

It was discovered that fetchmail's SMTP client, when configured to
authenticate, is susceptible to a protocol violation where, when a
trusted but malicious or malfunctioning SMTP server responds to an
authentication request with a "334" code but without a following blank
on the line, it will attempt to start reading from memory address 0x1 to
parse the server's SASL challenge. This event will usually cause a crash
of fetchmail (CVE-2025-61962).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34644
• https://www.openwall.com/lists/oss-security/2025/10/03/2
• https://www.openwall.com/lists/oss-security/2025/10/04/3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61962

SRPMS

9/core

• fetchmail-6.5.6-1.mga9