From c22a3afca46c83ee6d53a6ee58deb122f309c460 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Mon, 11 Apr 2011 14:08:32 +0200
Subject: Remove support for SSLv2 (fixes Debian Bug #622054).

SSLv2 has been deprecated since 1996, and is insecure.
Remove --sslproto SSL2 support.
Set SSL_OP_NO_SSLvSSL_CTX 2 option so that the SSLv23 multi-version
client no longer negotiates SSLv2.

Note that some distributions (such as Debian) build OpenSSL 1.0.0
without SSLv2 support, so on those, the build would fail.

Fixes Debian Bug #622054
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622054
---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index 922bf0f9..221bfcfb 100644
--- a/NEWS
+++ b/NEWS
@@ -57,6 +57,10 @@ removed from a 6.4.0 or newer release.)
 fetchmail-6.3.20 (not yet released):
 
 # CHANGES
+* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to
+  --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail
+  will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2.
+  To fix Debian Bug#622054.
 * fetchmail now always uses its own MD5 implementation.  The library and header
   variants are too diverse, and we've been bitten before -- and configure
   complains noisily on Cyrus-SASL's RFC1321 md5.h.
-- 
cgit v1.2.3