Promote regression fix to a security fix.

Reword TLS security fix.

svn path=/branches/BRANCH_6-3/; revision=4947

diff --git a/NEWS b/NEWS
index 41d2395185633e1461ab7882366d103785b7e299..615cabfcdfa1c6064dfa68a0eba2adbb61bcbd96 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -41,23 +41,23 @@ change.  MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
 
 fetchmail 6.3.6 (not yet released):
 
-# SECURITY FIX (INCOMPATIBLE):
+# SECURITY FIX (CHANGES BEHAVIOR):
 * Using at least one of the options "sslproto 'tls1'", "sslfingerprint" or
   "sslcertck" enforces STARTTLS for POP3 and IMAP and terminates the connection
   if unsuccessful. The same configuration causes permanent connection failure
-  with POP2 unless --ssl is used.
+  with POP2, which is obsolete and does not support STLS.  fetchmail 6.3.5 and
+  older had no way to enforce TLS. With those older versions, TLS was always
+  opportunistic, but fetchmail would happily transmit the password in cleartext
+  if STARTTLS failed.  Reported by and fixed in cooperation with Isaac Wilcox.
 
-  fetchmail 6.3.5 and older had no way to enforce TLS. With those older
-  versions, TLS was always opportunistic, but fetchmail would happily transmit
-  the password in cleartext if STARTTLS failed. --ssl --sslcertck configurations
-  however have been safe.
+  Configurations using --ssl --sslcertck however have been safe.
 
-  Reported by and fixed in cooperation with Isaac Wilcox.
-
-# BUG FIXES:
+# SECURITY FIX:
 * Repair regression in 6.3.5 that crashes fetchmail when a message with invalid
   headers is found while fetchmail's mda option is in use. BerliOS bugs #9364,
   #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+
+# BUG FIXES:
 * Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
   reported by Brian Harring.
 * Robustness: If a stale lockfile cannot be deleted, truncate it to avoid