Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Sat, 15 Aug 2009 11:27:37 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: mailfilter 0.8.2 fixes CVE-2007-1558 (APOP)

CVE-2007-1558:
  The APOP protocol allows remote attackers to guess the first 3 
  characters of a password via man-in-the-middle (MITM) attacks that use
  crafted message IDs and MD5 collisions. NOTE: this design-level issue
  potentially affects all products that use APOP, including (1)
  Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, 
  (3) mutt, (4) fetchmail, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x 
  before 1.1.2, (6) Balsa 2.3.16 and earlier, and possibly other 
  products.

Mailfilter 0.8.2 is now out and added the mitigation mutt added a while 
ago: http://mailfilter.sourceforge.net/NEWS

If you need the patch:
http://mailfilter.svn.sourceforge.net/viewvc/mailfilter?view=rev&revision=17



Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ