+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure
Topics: fetchmail cannot enforce TLS
Author: Matthias Andree
-Version: 1.0
+Version: 1.1
Announced: 2007-01-04
Type: secret information disclosure
Impact: fetchmail can expose cleartext password over unsecure link
Not affected: fetchmail release candidates 6.3.6-rc4, -rc5
fetchmail release 6.3.6
+ fetchmail release 6.3.7
Corrected: 2006-11-26 fetchmail 6.3.6-rc4
2006-11-16 v0.01 internal review draft
2006-11-26 v0.02 revise failure cases, workaround, add acknowledgments
2006-11-27 v0.03 add more vulnerabilities
-2006-01-04 v1.0 ready for release
+2007-01-04 v1.0 ready for release
+2007-02-18 v1.1 mention 6.3.7 that fixes two regressions
1. Background
4. Solution
===========
-Download and install fetchmail 6.3.6 or a newer stable release from
+ The earlier recommendation to install 6.3.6 is hereby updated, since
+ version 6.3.6 introduced two new regressions fixed in 6.3.7: one broke
+ KPOP altogether and one broke the automatic POP3 retries without TLS
+ if a server advertised TLS but then closed the connection and TLS
+ wasn't enforced.
+
+Download and install fetchmail 6.3.7 or a newer stable release from
fetchmail's project site at
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
Use the information herein at your own risk.
END OF fetchmail-SA-2006-02.txt
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+iD8DBQFIV7WXvmGDOQUufZURAr4xAKDSgBfyRuCoznZM6vuyA3aDHr/o5QCgvuDX
+OKcBNAf2aVZjS9X0+w/fEc8=
+=PAe2
+-----END PGP SIGNATURE-----