From 32660ebbf0c1a9a89fc20daa0be4860c63ff174e Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 24 Apr 2008 08:45:14 +0000 Subject: Add missing --ssl to 3 A. svn path=/branches/BRANCH_6-3/; revision=5178 --- fetchmail-SA-2007-01.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt index 19bb91c9..5b574d07 100644 --- a/fetchmail-SA-2007-01.txt +++ b/fetchmail-SA-2007-01.txt @@ -3,7 +3,7 @@ fetchmail-SA-2007-01: APOP considered insecure Topics: APOP authentication insecure, fetchmail implementation lax Author: Matthias Andree -Version: 1.0 +Version: 1.1 Announced: 2007-04-06 Type: password theft when under MITM attack Impact: password disclosure possible @@ -24,6 +24,7 @@ Corrected: 2007-03-18 fetchmail SVN ================== 2007-04-06 1.0 first release +2008-04-24 1.1 add --ssl to section 3. suggestion A below 1. Background @@ -64,7 +65,7 @@ Either of these is currently considered sufficient. A. Only use APOP on SSL or TLS secured connections with mandatory and thorough certificate validation, such as fetchmail --sslproto tls1 --sslcertck - or --sslproto ssl3 --sslcertck), or equivalent in the run control file. + or --ssl --sslproto ssl3 --sslcertck), or equivalent in the run control file. B. Avoid APOP and use stronger authenticators. @@ -78,7 +79,7 @@ C. If you must continue to use APOP without SSL/TLS, then install A. Copyright, License and Warranty ================================== -(C) Copyright 2007 by Matthias Andree, . +(C) Copyright 2007, 2008 by Matthias Andree, . Some rights reserved. This work is licensed under the Creative Commons -- cgit v1.2.3