diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -82,6 +82,23 @@ removed from a 6.5.0 or newer release.) server to test against. Use GSSAPI. -------------------------------------------------------------------------------- +fetchmail-6.4.22 (not yet released): + +# SECURITY FIX: +* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that + fetchmail is to enforce TLS, and when the server or an attacker sends + a PREAUTH greeting, fetchmail used to continue an unencrypted connection. + Now, log the error and abort the connection. + + Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on + a dedicated port (default 993): use --ssl. + + Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why + TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email + Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian + Schinzel. The paper did not mention fetchmail. + +-------------------------------------------------------------------------------- fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): # REGRESSION FIX: |