diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2011-04-11 14:08:32 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2011-04-11 14:08:32 +0200 |
| commit | c22a3afca46c83ee6d53a6ee58deb122f309c460 (patch) | |
| tree | 7b91c2e12dcc8ca2253fc239761207e9ee6fabb0 /NEWS | |
| parent | 4ab1f5f5f64505f46789c61a6e5a206f3c2ee83e (diff) | |
| download | fetchmail-c22a3afca46c83ee6d53a6ee58deb122f309c460.tar.gz fetchmail-c22a3afca46c83ee6d53a6ee58deb122f309c460.tar.bz2 fetchmail-c22a3afca46c83ee6d53a6ee58deb122f309c460.zip | |
Remove support for SSLv2 (fixes Debian Bug #622054).
SSLv2 has been deprecated since 1996, and is insecure.
Remove --sslproto SSL2 support.
Set SSL_OP_NO_SSLvSSL_CTX 2 option so that the SSLv23 multi-version
client no longer negotiates SSLv2.
Note that some distributions (such as Debian) build OpenSSL 1.0.0
without SSLv2 support, so on those, the build would fail.
Fixes Debian Bug #622054
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622054
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -57,6 +57,10 @@ removed from a 6.4.0 or newer release.) fetchmail-6.3.20 (not yet released): # CHANGES +* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to + --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail + will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2. + To fix Debian Bug#622054. * fetchmail now always uses its own MD5 implementation. The library and header variants are too diverse, and we've been bitten before -- and configure complains noisily on Cyrus-SASL's RFC1321 md5.h. |