Fix TLS issue: fail if sslfingerprint, sslproto tls1 or sslcertck are configured and STARTTLS fails. Only by omitting all of these options, fetchmail will try opportunistic TLS.

svn path=/branches/BRANCH_6-3/; revision=4929

1 files changed, 17 insertions, 9 deletions

diff --git a/NEWS b/NEWS
index 489ff523..7981a6e0 100644
--- a/NEWS
+++ b/NEWS
@@ -41,6 +41,23 @@ change.  MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
 
 fetchmail 6.3.6 (not yet released):
 
+# SECURITY FIX (INCOMPATIBLE):
+* Using at least one of the options "sslproto 'tls1'", "sslfingerprint" or
+  "sslcertck" enforces STARTTLS for POP3 and IMAP and terminates the connection
+  if unsuccessful. The same configuration causes permanent connection failure
+  with POP2 unless --ssl is used.
+
+  fetchmail 6.3.5 and older had no way to enforce TLS. With those older
+  versions, TLS was always opportunistic, but fetchmail would happily transmit
+  the password in cleartext if STARTTLS failed. --ssl configurations however
+  have been safe.
+
+  Reported by and fixed in cooperation with Isaac Wilcox.
+
+# BUG FIXES:
+* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
+  reported by Brian Harring.
+
 # KNOWN BUGS AND WORKAROUNDS:
   (this section floats upwards through the NEWS to be on top of the list)
 * fetchmail does not handle messages without Message-ID header well
@@ -57,15 +74,6 @@ fetchmail 6.3.6 (not yet released):
 * some of the logging output is not very helpful
 * some of the documentation is still not up to date
 
-# IMPORTANT CHANGE:
-* sslproto 'tls1' enforces STARTTLS for POP3/IMAP and terminates the connection
-  if unsuccessful. The same configuration causes connection failure with POP2.
-  Reported by Isaac Wilcox.
-
-# BUG FIXES:
-* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
-  reported by Brian Harring.
-
 fetchmail 6.3.5 (released 2006-10-09):
 
 # BUG FIXES: