oss-sec mailing list archives
mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)
From: Robert Buchholz <rbu () gentoo org>
Date: Sat, 15 Aug 2009 11:27:37 +0200
CVE-2007-1558: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, and possibly other products. Mailfilter 0.8.2 is now out and added the mitigation mutt added a while ago: http://mailfilter.sourceforge.net/NEWS If you need the patch: http://mailfilter.svn.sourceforge.net/viewvc/mailfilter?view=rev&revision=17 Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- mailfilter 0.8.2 fixes CVE-2007-1558 (APOP) Robert Buchholz (Aug 15)
- Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) Matthias Andree (Aug 18)
- Re: Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) Steven M. Christey (Sep 01)
- Re: CVE-2007-1558 update (was: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)) Matthias Andree (Aug 18)