From 321d61b215169346708da3ad2b74711996771635 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sun, 18 Mar 2007 01:24:22 +0000
Subject: Strengthen APOP a bit (validate RFC-822 syntax) in order to fend off
 Leurent-style MITM attacks which are based on MD5 and APOP weaknesses.

svn path=/branches/BRANCH_6-3/; revision=5057
---
 NEWS | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index de7064b7..4cc6f944 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,17 @@ be removed from a 6.4.0 or newer release.)
 
 fetchmail 6.3.8 (not yet released):
 
+# SECURITY STRENGTHENING:
+* Make the APOP challenge parser more distrustful and have it reject challenges
+  that do not conform to RFC-822 msg-id format, in the hope to make mounting
+  man-in-the-middle attacks (MITM) against APOP a bit more difficult.
+
+  APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
+  setups: based on MD5 collisions, it is purportedly possible to recover the
+  first three characters of the shared secret (password), which would then make
+  recovery of the shared secret a matter of hours or minutes; this would then
+  enable the attacker to impersonate the client vis-à-vis the server.
+
 # BUG FIXES:
 * Fix pluralization of oversized-message warning mails.
 * Fix manual page: --sslcheck -> --sslcertck, and do not set trailing 
-- 
cgit v1.2.3