From 8517491d8558e202a33294ac61f2268ef802f03f Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Thu, 26 Aug 2021 23:53:14 +0200
Subject: SECURITY: POP3: changes for --auth ssh and RPA

These no longer defeat STARTTLS negotiation,
and RPA is only attempted with --auth any.
---
 NEWS | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 3f17f216..cf955bbe 100644
--- a/NEWS
+++ b/NEWS
@@ -101,9 +101,13 @@ fetchmail-6.4.22 (not yet released):
   TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
   Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
   Schinzel.  The paper did not mention fetchmail.
-* On IMAP connections, --auth ssh no longer prevents STARTTLS negotiation.
+* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
+  negotiation.
 * On IMAP connections, do not permit to override a server-side LOGINDISABLED 
   with --auth password any more.
+* On POP3 connections, the possibility for RPA authentication (by probing with 
+  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
+* For POP3 connections, RPA is only attempted if the authentication type is any.
 
 # BUG FIXES:
 * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
-- 
cgit v1.2.3