diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -44,6 +44,17 @@ be removed from a 6.4.0 or newer release.) fetchmail 6.3.8 (not yet released): +# SECURITY STRENGTHENING: +* Make the APOP challenge parser more distrustful and have it reject challenges + that do not conform to RFC-822 msg-id format, in the hope to make mounting + man-in-the-middle attacks (MITM) against APOP a bit more difficult. + + APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical + setups: based on MD5 collisions, it is purportedly possible to recover the + first three characters of the shared secret (password), which would then make + recovery of the shared secret a matter of hours or minutes; this would then + enable the attacker to impersonate the client vis-à-vis the server. + # BUG FIXES: * Fix pluralization of oversized-message warning mails. * Fix manual page: --sslcheck -> --sslcertck, and do not set trailing |