* Make the APOP challenge parser more distrustful and have it reject challenges
that do not conform to RFC-822 msg-id format, in the hope to make mounting
man-in-the-middle attacks (MITM) against APOP a bit more difficult.
+ (CVE-2007-1558)
APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
setups: based on MD5 collisions, it is purportedly possible to recover the
recovery of the shared secret a matter of hours or minutes; this would then
enable the attacker to impersonate the client vis-à-vis the server.
+ For further details, check
+ * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application
+ to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in
+ Springer's Lecture Notes on Computer Science.)
+ * The mailing list discussion thread at
+ <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html>
+
# BUG FIXES:
* Fix pluralization of oversized-message warning mails.
* Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
Fixes comment #9 in Gentoo Bug #163782, reported by Takuto Matsuu.
* Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes section.
Reported by Nico Golde.
+* If SOCKS support was compiled in, add 'socks' to the feature_options Python
+ list emitted in --configdump. Reported by Rob MacGregor.
+* Do not crash with a null pointer dereference when opening the BSMTP file
+ fails. Improve error checking and reporting. Reported by Reto Schüttel,
+ Debian Bug#416625. Fix based on a patch by Nico Golde.
+* Make BSMTP output actually work, it would persistently fail with SOCKET error
+ after writing the first header.
# DOCUMENTATION:
* Extend --mda documentation, discourage use of qmail-inject.
projects / ~andy / fetchmail / blobdiff