From 3ff5f205243cc1df0eefef641ba49eff1c83296a Mon Sep 17 00:00:00 2001 From: Simon Barner Date: Mon, 9 Apr 2007 20:05:50 +0000 Subject: Document fetchmail's "insecure APOP authentication" issue (fixed in 6.3.8). --- security/vuxml/vuln.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index dcbe847e2899..538730db6682 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,41 @@ Note: Please add new entries to the beginning of this file. --> + + fetchmail -- insecure APOP authentication + + + fetchmail + 6.3.8 + + + + +

Matthias Andree reports:

+
The POP3 standard, currently RFC-1939, has specified an optional, + MD5-based authentication scheme called "APOP" which no longer + should be considered secure.
+
Additionally, fetchmail's POP3 client implementation has been + validating the APOP challenge too lightly and accepted random + garbage as a POP3 server's APOP challenge. This made it easier + than necessary for man-in-the-middle attackers to retrieve by + several probing and guessing the first three characters of the + APOP secret, bringing brute forcing the remaining characters well + within reach.
+

+ + + + CVE-2007-1558 + http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt + + + 2007-04-06 + 2007-04-09 + + + mcweject -- exploitable buffer overflow -- cgit v1.2.3