Reword.

svn path=/branches/BRANCH_6-3/; revision=5087

1 files changed, 8 insertions, 4 deletions

diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt
index 7c224f93..19bb91c9 100644
--- a/fetchmail-SA-2007-01.txt
+++ b/fetchmail-SA-2007-01.txt
@@ -1,6 +1,6 @@
 fetchmail-SA-2007-01: APOP considered insecure
 
-Topics:		The POP3/APOP authentication, by itself, is considered broken.
+Topics:		APOP authentication insecure, fetchmail implementation lax
 
 Author:		Matthias Andree
 Version:	1.0
@@ -44,9 +44,13 @@ control) files for fetchmail.
 The POP3 standard, currently RFC-1939, has specified an optional,
 MD5-based authentication scheme called "APOP".
 
-Fetchmail's POP3 client implementation however has happily accepted
-random garbage as a POP3 server's APOP challenge, rather than insisting
-that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+APOP should no longer be considered secure.
+
+Additionally, fetchmail's POP3 client implementation has been validating
+the APOP challenge too lightly and accepted random garbage as a POP3
+server's APOP challenge, rather than insisting that the APOP challenge
+conformed to RFC-822, as required by RFC-1939.
+
 This made it easier than necessary for man-in-the-middle attackers to
 retrieve by several probing and guessing the first three characters of
 the APOP secret, bringing brute forcing the remaining characters well