diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-09-13 22:46:03 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-09-13 23:00:47 +0200 |
| commit | 84f2d310e2a3e62c9bb68010a251e1d89a26bc48 (patch) | |
| tree | 5b50d023c567986a6ce7b6e3c5ee948e33b24c1d /NEWS | |
| parent | 8eed56c21ca5bbdf3c00aaf74d807bcad8713ba9 (diff) | |
| download | fetchmail-84f2d310e2a3e62c9bb68010a251e1d89a26bc48.tar.gz fetchmail-84f2d310e2a3e62c9bb68010a251e1d89a26bc48.tar.bz2 fetchmail-84f2d310e2a3e62c9bb68010a251e1d89a26bc48.zip | |
Get ready for 6.4.22.
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 15 |
1 files changed, 8 insertions, 7 deletions
@@ -90,7 +90,7 @@ removed from a 6.5.0 or newer release.) have required another loop through the translators. -------------------------------------------------------------------------------- -fetchmail-6.4.22 (not yet released): +fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): # OPENSSL AND LICENSING NOTE: * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. @@ -99,16 +99,17 @@ fetchmail-6.4.22 (not yet released): by the FSF. For implications and details, see the file COPYING. # SECURITY FIXES: -* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that - fetchmail is to enforce TLS, and when the server or an attacker sends - a PREAUTH greeting, fetchmail used to continue an unencrypted connection. - Now, log the error and abort the connection. - Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on +* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and + with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when + the server or an attacker sends a PREAUTH greeting, fetchmail used to continue + an unencrypted connection. Now, log the error and abort the connection. + --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. - Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why + --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. + * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side |