[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mpop-users] mpop 1.0.9 released!



mpop 1.0.9 is released!

This is a security update.

Security fix: APOP authentication is vulnerable to man-in-the-middle
attacks. See CVE-2007-1558. Such attacks might lead to password
disclosure. Therefore, mpop does not use APOP automatically without TLS
anymore. Additionally, the checks on the APOP challenge were too lax in
previous versions of mpop, making attacks easier than necessary. This
has been fixed.

Security improvement: NTLM authentication is not used automatically
without TLS anymore.

Security improvement: TLS now requires either tls_trust_file (highly
recommended) or a disabled tls_certcheck.

An update is recommended. 


Martin