diff options
Diffstat (limited to 'fetchmail-SA-2007-01.txt')
-rw-r--r-- | fetchmail-SA-2007-01.txt | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt index 19bb91c9..5b574d07 100644 --- a/fetchmail-SA-2007-01.txt +++ b/fetchmail-SA-2007-01.txt @@ -3,7 +3,7 @@ fetchmail-SA-2007-01: APOP considered insecure Topics: APOP authentication insecure, fetchmail implementation lax Author: Matthias Andree -Version: 1.0 +Version: 1.1 Announced: 2007-04-06 Type: password theft when under MITM attack Impact: password disclosure possible @@ -24,6 +24,7 @@ Corrected: 2007-03-18 fetchmail SVN ================== 2007-04-06 1.0 first release +2008-04-24 1.1 add --ssl to section 3. suggestion A below 1. Background @@ -64,7 +65,7 @@ Either of these is currently considered sufficient. A. Only use APOP on SSL or TLS secured connections with mandatory and thorough certificate validation, such as fetchmail --sslproto tls1 --sslcertck - or --sslproto ssl3 --sslcertck), or equivalent in the run control file. + or --ssl --sslproto ssl3 --sslcertck), or equivalent in the run control file. B. Avoid APOP and use stronger authenticators. @@ -78,7 +79,7 @@ C. If you must continue to use APOP without SSL/TLS, then install A. Copyright, License and Warranty ================================== -(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>. +(C) Copyright 2007, 2008 by Matthias Andree, <matthias.andree@gmx.de>. Some rights reserved. This work is licensed under the Creative Commons |