Reword.

svn path=/branches/BRANCH_6-3/; revision=5087

diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt
index 7c224f9344ef9f83c9a4b2fd263e3dad67ca818f..19bb91c9475316be7b5dbf15a028cf58554707b2 100644 (file)
--- a/fetchmail-SA-2007-01.txt
+++ b/fetchmail-SA-2007-01.txt
@@ -1,6 +1,6 @@
 fetchmail-SA-2007-01: APOP considered insecure
 
-Topics:                The POP3/APOP authentication, by itself, is considered broken.
+Topics:                APOP authentication insecure, fetchmail implementation lax
 
 Author:                Matthias Andree
 Version:       1.0
@@ -44,9 +44,13 @@ control) files for fetchmail.
 The POP3 standard, currently RFC-1939, has specified an optional,
 MD5-based authentication scheme called "APOP".
 
-Fetchmail's POP3 client implementation however has happily accepted
-random garbage as a POP3 server's APOP challenge, rather than insisting
-that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+APOP should no longer be considered secure.
+
+Additionally, fetchmail's POP3 client implementation has been validating
+the APOP challenge too lightly and accepted random garbage as a POP3
+server's APOP challenge, rather than insisting that the APOP challenge
+conformed to RFC-822, as required by RFC-1939.
+
 This made it easier than necessary for man-in-the-middle attackers to
 retrieve by several probing and guessing the first three characters of
 the APOP secret, bringing brute forcing the remaining characters well