diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2021-08-26 23:53:14 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2021-08-26 23:53:14 +0200 |
| commit | c78cc2fc202f6bb6b44412f9c35bf176261c25f1 (patch) | |
| tree | 6d759d39fd196049d02c9bac664067e132613bee /NEWS | |
| parent | 39818023a0f58dd61b8a4ddc3857d144ef572d49 (diff) | |
| download | fetchmail-c78cc2fc202f6bb6b44412f9c35bf176261c25f1.tar.gz fetchmail-c78cc2fc202f6bb6b44412f9c35bf176261c25f1.tar.bz2 fetchmail-c78cc2fc202f6bb6b44412f9c35bf176261c25f1.zip | |
SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -84,7 +84,7 @@ removed from a 6.5.0 or newer release.) -------------------------------------------------------------------------------- fetchmail-6.4.22 (not yet released): -# SECURITY FIX: +# SECURITY FIXES: * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. @@ -98,6 +98,8 @@ fetchmail-6.4.22 (not yet released): Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP connections, --auth ssh no longer prevents STARTTLS negotiation. +* On IMAP connections, do not permit to override a server-side LOGINDISABLED + with --auth password any more. # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the |