[fetchmail-users] fetchmail 6.3.8-rc2 release candidate

[Matthias A. <mat...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I have uploaded the second fetchmail 6.3.8 release candidate to the usual
download location: <http://home.pages.de/~mandree/fetchmail/>.

This release candidates adds strict verification of the POP3 APOP
timestamp for RFC-822 syntax to make an MD5 collision attack more
difficult - details:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
fetchmail 6.3.8 (not yet released) - CHANGES IN RC2 SINCE RC1

# SECURITY STRENGTHENING:
* Make the APOP challenge parser more distrustful and have it reject challenges
  that do not conform to RFC-822 msg-id format, in the hope to make mounting
  man-in-the-middle attacks (MITM) against APOP a bit more difficult.

  APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
  setups: based on MD5 collisions, it is purportedly possible to recover the
  first three characters of the shared secret (password), which would then make
  recovery of the shared secret a matter of hours or minutes; this would then
  enable the attacker to impersonate the client vis-à-vis the server.

  For further details, check
  * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application
  to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in
  Springer's Lecture Notes on Computer Science.)
  * The mailing list discussion thread at
  <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

WARNING: This message sets the Reply-To: header.
When replying to me personally, you need to edit the To: header!

Thank you.

Happy fetching,
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFF/w9AvmGDOQUufZURAtWHAKCsM234Qe7gh8C9z1MsuH43wA4hiQCg0xOy
wrxZO6Dpj4P7XtDO4MuvzDo=
=5+Nu
-----END PGP SIGNATURE-----