From c78cc2fc202f6bb6b44412f9c35bf176261c25f1 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Thu, 26 Aug 2021 23:53:14 +0200
Subject: SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.

---
 NEWS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'NEWS')

diff --git a/NEWS b/NEWS
index feb7a478..3eaede5c 100644
--- a/NEWS
+++ b/NEWS
@@ -84,7 +84,7 @@ removed from a 6.5.0 or newer release.)
 --------------------------------------------------------------------------------
 fetchmail-6.4.22 (not yet released):
 
-# SECURITY FIX:
+# SECURITY FIXES:
 * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that 
   fetchmail is to enforce TLS, and when the server or an attacker sends 
   a PREAUTH greeting, fetchmail used to continue an unencrypted connection.
@@ -98,6 +98,8 @@ fetchmail-6.4.22 (not yet released):
   Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
   Schinzel.  The paper did not mention fetchmail.
 * On IMAP connections, --auth ssh no longer prevents STARTTLS negotiation.
+* On IMAP connections, do not permit to override a server-side LOGINDISABLED 
+  with --auth password any more.
 
 # BUG FIXES:
 * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
-- 
cgit v1.2.3