aboutsummaryrefslogtreecommitdiffstats
path: root/fetchmail-SA-2006-02.txt
diff options
context:
space:
mode:
Diffstat (limited to 'fetchmail-SA-2006-02.txt')
-rw-r--r--fetchmail-SA-2006-02.txt14
1 files changed, 11 insertions, 3 deletions
diff --git a/fetchmail-SA-2006-02.txt b/fetchmail-SA-2006-02.txt
index dd24e497..5c97fa14 100644
--- a/fetchmail-SA-2006-02.txt
+++ b/fetchmail-SA-2006-02.txt
@@ -3,7 +3,7 @@ fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure
Topics: fetchmail cannot enforce TLS
Author: Matthias Andree
-Version: 1.0
+Version: 1.1
Announced: 2007-01-04
Type: secret information disclosure
Impact: fetchmail can expose cleartext password over unsecure link
@@ -19,6 +19,7 @@ Affects: fetchmail releases <= 6.3.5
Not affected: fetchmail release candidates 6.3.6-rc4, -rc5
fetchmail release 6.3.6
+ fetchmail release 6.3.7
Corrected: 2006-11-26 fetchmail 6.3.6-rc4
@@ -29,7 +30,8 @@ Corrected: 2006-11-26 fetchmail 6.3.6-rc4
2006-11-16 v0.01 internal review draft
2006-11-26 v0.02 revise failure cases, workaround, add acknowledgments
2006-11-27 v0.03 add more vulnerabilities
-2006-01-04 v1.0 ready for release
+2007-01-04 v1.0 ready for release
+2007-02-18 v1.1 mention 6.3.7 that fixes two regressions
1. Background
@@ -87,7 +89,13 @@ or equivalent in the run control file. This encrypts the whole session.
4. Solution
===========
-Download and install fetchmail 6.3.6 or a newer stable release from
+ The earlier recommendation to install 6.3.6 is hereby updated, since
+ version 6.3.6 introduced two new regressions fixed in 6.3.7: one broke
+ KPOP altogether and one broke the automatic POP3 retries without TLS
+ if a server advertised TLS but then closed the connection and TLS
+ wasn't enforced.
+
+Download and install fetchmail 6.3.7 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 14:12:06 +0000