[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mpop-users] mpop 1.0.9 released!

To: mpop-users@lists.sourceforge.net
Subject: [mpop-users] mpop 1.0.9 released!
From: Martin Lambers <marlam@...1...>
Date: Mon, 9 Apr 2007 17:47:16 +0200
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=mpop-users>
List-help: <mailto:mpop-users-request@lists.sourceforge.net?subject=help>
List-id: "General discussion." <mpop-users.lists.sourceforge.net>
List-post: <mailto:mpop-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/mpop-users>, <mailto:mpop-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/mpop-users>, <mailto:mpop-users-request@lists.sourceforge.net?subject=unsubscribe>
Mail-followup-to: mpop-users@lists.sourceforge.net
Openpgp: id=15BC348B; url=http://www.marlam.de/key.txt
User-agent: Mutt/1.5.13 (2006-08-11)

mpop 1.0.9 is released!

This is a security update.

Security fix: APOP authentication is vulnerable to man-in-the-middle
attacks. See CVE-2007-1558. Such attacks might lead to password
disclosure. Therefore, mpop does not use APOP automatically without TLS
anymore. Additionally, the checks on the APOP challenge were too lax in
previous versions of mpop, making attacks easier than necessary. This
has been fixed.

Security improvement: NTLM authentication is not used automatically
without TLS anymore.

Security improvement: TLS now requires either tls_trust_file (highly
recommended) or a disabled tls_certcheck.

An update is recommended. 


Martin

Prev by Date: [mpop-users] mpop 1.0.8 released!
Next by Date: [mpop-users] mpop 1.0.10 released!
Previous by thread: [mpop-users] mpop 1.0.8 released!
Next by thread: [mpop-users] mpop 1.0.10 released!
Index(es):
- Date
- Thread