aboutsummaryrefslogtreecommitdiffstats
Commit message (Expand)AuthorAgeFilesLines
...
* Make sure we pick the right RPM to generate from.Eric S. Raymond2002-09-221-1/+1
* rpm2lsm in the reight place.Eric S. Raymond2002-09-221-30/+29
* Ready to ship the security-fixed version.Eric S. Raymond2002-09-223-4/+10
* Stefan Esser's security patch.Eric S. Raymond2002-09-221-12/+37
* Bounds-checking fix to prevent remote exploit.Eric S. Raymond2002-09-221-0/+2
* Typo fix.Eric S. Raymond2002-09-221-1/+1
* Ready to ship gold.Eric S. Raymond2002-09-171-0/+3
* @ fix.Eric S. Raymond2002-09-171-1/+1
* Don't double @.Eric S. Raymond2002-09-171-1/+4
* Doesn't work with 2.3.Eric S. Raymond2002-09-171-1/+1
* Fix a minor bug reported by Matthias Andree.Eric S. Raymond2002-09-172-33/+5
* Update for 6.0.0.Eric S. Raymond2002-09-171-19/+13
* Ready to ship.Eric S. Raymond2002-09-172-4/+5
* Collective work copyright asserted.Eric S. Raymond2002-09-151-4/+3
* Closed a Debian bug.Eric S. Raymond2002-09-131-0/+1
* Matt Kraai's fix for POP3 STARTTLS.Eric S. Raymond2002-09-131-18/+12
* Typo fix.Eric S. Raymond2002-09-131-1/+1
* Default to empty antispam list.Eric S. Raymond2002-09-131-35/+35
* Space optimization.Eric S. Raymond2002-09-131-0/+1
* Better error return reporting from the MDA.Eric S. Raymond2002-09-131-2/+19
* Sunil Shetye's latest cleanup patch.Eric S. Raymond2002-09-133-62/+50
* GMX correction.Eric S. Raymond2002-09-101-44/+22
* Bump version to 6.0.0.Eric S. Raymond2002-09-093-3/+5
* Note STARTTLS.Eric S. Raymond2002-09-091-2/+4
* Default antispam code list to empy.Eric S. Raymond2002-09-093-11/+6
* Sunil Shetye's latest fix patch.Eric S. Raymond2002-09-096-28/+54
* STARTTLS support.Eric S. Raymond2002-09-092-0/+23
* Bring us up to date with gnuplot 1.37.Eric S. Raymond2002-09-092-8/+15
* Ready to ship?Eric S. Raymond2002-09-061-6/+2
* Ready to ship a pre-release.Eric S. Raymond2002-09-061-2/+6
* Version bump.Eric S. Raymond2002-09-061-1/+1
* Detect and warn about geonet.de.Eric S. Raymond2002-09-061-0/+6
* New mailman format.Eric S. Raymond2002-09-041-1/+1
* Sunil Shetye's double-bounce patch.Eric S. Raymond2002-09-042-33/+81
* Describe 550 better.Eric S. Raymond2002-09-042-9/+8
* Sunil Shetye's re-exec patch.Eric S. Raymond2002-09-044-28/+70
* Sunil Shetye's re-exec patch.Eric S. Raymond2002-09-041-0/+2
* SSL port fix.Eric S. Raymond2002-09-042-1/+2
* URL fix.Eric S. Raymond2002-09-041-4/+4
* Cygwin port fix.Eric S. Raymond2002-09-045-7/+19
* vbmailshirld info.Eric S. Raymond2002-09-041-246/+222
* Berkeley ports fix for Kerberos IV.Eric S. Raymond2002-09-041-1/+1
* Typo fix.Eric S. Raymond2002-08-261-1/+1
* Refactor so we can use idle.c in the cookbook.Eric S. Raymond2002-08-262-36/+55
* Generate the LSM.Eric S. Raymond2002-08-261-1/+4
* Edited RFC822 for cookbook.Eric S. Raymond2002-08-262-14/+28
* Renove unused header.Eric S. Raymond2002-08-261-1/+0
* Remove fetchmail dependencies.Eric S. Raymond2002-08-261-21/+23
* Correct site.Eric S. Raymond2002-07-301-1/+1
* XML headers everywhere.Eric S. Raymond2002-07-308-11/+18
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-09 16:17:59 +0000
ally you can only recover three of them, due to the way MD5 collisions are computed). This attack is really a practical one: it needs about an hour of computation and a few hundred authentications from the client, and can recover three password characters. I tested it against fetchmail, and it does work. However, using the current techniques available to attack MD5, the msg-ids sent by the server can easily be distinguished from genuine ones as they will not respect the RFC specification. In particular, they will contain non-ASCII characters. Therefore, as a security countermeasure, I think fetchmail should reject msg-ids that does not conform to the RFC. The details of the attack and the new results against MD5 needed to build it will be presented in the Fast Software Encryption conference on March 28. I can send you some more details if needed. Meanwhile, feel free to alert any one that you believe is concerned. I am already sending this mail to the maintainers of Thunderbird, Evolution, fetchmail, and mutt. KMail already seems to do enough checks on the msg-id to avoid the attack. Please CC me in any reply. -- Ga&#235;tan LEURENT </PRE> <!--endarticle--> <HR> <P><UL> <!--threads--> <LI>Previous message: <A HREF="000884.html">[fetchmail-devel] Bug#413059: --sslcheck - non-existent option in the man page </A></li> <LI>Next message: <A HREF="000889.html">[fetchmail-devel] Security vulnerability in APOP authentication </A></li> <LI> <B>Messages sorted by:</B> <a href="date.html#887">[ date ]</a> <a href="thread.html#887">[ thread ]</a> <a href="subject.html#887">[ subject ]</a> <a href="author.html#887">[ author ]</a> </LI> </UL> <hr> <a href="https://lists.berlios.de/mailman/listinfo/fetchmail-devel">More information about the fetchmail-devel mailing list</a><br> </body></html>
generated by cgit v1.2.3 (git 2.46.0) at 2026-04-09 16:17:58 +0000