The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.
net-mail any news on this one?
Ouch... helps if I'm actually CCed :P I'll see if upstream has released something related to this. Though I'm a bit busy these days so I'd apreciate if someone does it. Cheers. - ferdy
ferdy, any news on this one?
Sorry for the delay, I'm in exams period and haven't paid lots of attention to Gentoo these days. Mutt-1.5.16 has just been released with a fix for this. I'll provide an updated ebuild soon. - ferdy
ferdy any news on this one?
I have everything ready, but the sidebar patch hasn't been updated by its upstream. I'm currently uploading the patchset to the mirrors so it is ready once the sidebar patch is ready. - ferd
Thanks for the stats update. Please post again once the ebuild is committed.
Ferdy, any news here?
any news here?
ferdy/net-mail, what's the status here?
The status is that I've been away and not every patch was ready when I wasn't away. The hard part of the job was done as stated in comment #6 so anyone could've finished it during my month off. Anyway, everything should be ready now and I commited mail-client/mutt-1.5.16 a couple of minutes ago. - ferdy
(In reply to comment #6) > I have everything ready, but the sidebar patch hasn't been updated by its > upstream. I'm currently uploading the patchset to the mirrors so it is ready > once the sidebar patch is ready. (In reply to comment #11) > The hard part of the job was done as stated in comment #6 so anyone > could've finished it during my month off. I wanted to bump it but the patches were already removed/cleaned from the mirrors again. Hint: The patchset must be uploaded again.
Shite... forgot that. I'll do it in a minute. Thanks Torsten. - ferdy
Well... mutt-1.5.16 has been on the tree with a fix since: ---8<--- Comment #11 From Fernando J. Pereda 2007-08-08 09:42:59 0000 ---8<--- That is, thirteen days. Also, stabilization of that version has been handled in bug #178003 and all security supported archs already marked it as such. Is there anything I'm missing? - ferdy
Sorry ferdy I forgot about the other bug.
finally closing without GLSA wrt the discussion on bug 178003, feel free to reopen if you disagree.