Just a word of warning, this isn't your pick three git commits with trivial fixes - the backport will require proper testing, too, and it will require some of the 42 patches since fetchmail 6.4.21 that are NOT marked SECURITY - for instance, 74771392 and 616e8c70, and translation updates as they are now trickling in, and documentation updates that suggest limiting TLS to TLS1.2+, so anything that looks like SSL or TLS documentation update.
Feel free to ask simple "do I need commit c0decafe to fix this CVE" questions on the fetchmail-devel@ list for the benefit of other distributors backporting. Note that there was a lot of drive-by bugfixing that also warrants updating independent of the CVE.
