X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=NEWS;h=748a5e8954f897b808d9c0072c33a46c97e90654;hb=c189f6a54f36f5b6f7734303db3cfc52311aab5f;hp=3ee8d85b4a5709c35162c74d40dafbbddfef1495;hpb=f1c0ba89205211f7f723ca81c0130dde30dca336;p=~andy%2Ffetchmail

diff --git a/NEWS b/NEWS
index 3ee8d85b..748a5e89 100644
--- a/NEWS
+++ b/NEWS
@@ -59,14 +59,19 @@ removed from a 6.4.0 or newer release.)
 fetchmail-6.3.22 (not yet released):
 
 # SECURITY FIXES
-* CVE-2012-(not yet assigned):
+* for CVE-2012-3482:
   NTLM: fetchmail mistook an error message that the server sent in response to
   an NTLM request for protocol exchange, tried to decode it, and crashed while
   reading from a bad memory location.
-  Fix: Detect base64 decoding errors and abort NTLM authentication.
+  Also, with a carefully crafted NTLM challenge packet sent from the server, it
+  would be possible that fetchmail conveyed confidential data not meant for the
+  server through the NTLM response packet.
+  Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
+  NTLM authentication in case of error.
   See fetchmail-SA-2012-02.txt for further details.
   Reported by J. Porter Clark.
-* CVE-2011-3389:
+
+* for CVE-2011-3389:
   SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure 
   against a certain kind of attack against cipher block chaining initialization 
   vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
@@ -111,6 +116,9 @@ fetchmail-6.3.22 (not yet released):
   messages (with a "meeting.ics" attachment). fetchmail now treats these as
   transient errors.  Report by John Connett, Patch by Sunil Shetye.
 
+# TRANSLATION UPDATES
+* New Swedish [sv] translation, courtesy of Göran Uddeborg.
+
 
 fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):