From 84f2d310e2a3e62c9bb68010a251e1d89a26bc48 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Mon, 13 Sep 2021 22:46:03 +0200 Subject: Get ready for 6.4.22. --- NEWS | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'NEWS') diff --git a/NEWS b/NEWS index aa239b0d..25023da6 100644 --- a/NEWS +++ b/NEWS @@ -90,7 +90,7 @@ removed from a 6.5.0 or newer release.) have required another loop through the translators. -------------------------------------------------------------------------------- -fetchmail-6.4.22 (not yet released): +fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): # OPENSSL AND LICENSING NOTE: * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. @@ -99,16 +99,17 @@ fetchmail-6.4.22 (not yet released): by the FSF. For implications and details, see the file COPYING. # SECURITY FIXES: -* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that - fetchmail is to enforce TLS, and when the server or an attacker sends - a PREAUTH greeting, fetchmail used to continue an unencrypted connection. - Now, log the error and abort the connection. - Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on +* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and + with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when + the server or an attacker sends a PREAUTH greeting, fetchmail used to continue + an unencrypted connection. Now, log the error and abort the connection. + --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. - Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why + --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. + * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side -- cgit v1.2.3