Make the APOP challenge parser more distrustful and have it reject challenges
that do not conform to RFC-822 msg-id format, in the hope to make mounting
man-in-the-middle attacks (MITM) against APOP a bit more difficult.
Detailed information:
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
A password disclosure vulnerability (CVE-2006-5867, fetchmail's using unsafe
logins or omitting TLS) and a denial of service vulnerability (CVE-2006-5974,
fetchmail crashes, dereferencing the null page, when rejecting a message sent
to an MDA).
Fetchmail 6.3.6 also fixes several regressions and long-standing bugs.
Details:
https://lists.berlios.de/pipermail/fetchmail-announce/2007-January/000042.html
tests & ok jasper@, simon@
This update includes security fixes for CVE-2005-2335, CVE-2005-4348
and CVE-2006-0321.
Take over maintainership. (With permission from old MAINTAINER fgsch@.)
Tested by Sigfred Håversen and aanriot@.
ok aanriot@, brad@
