The program uses MD5, deprecated by Openssl and considered insecure. Package has not been updated since 2011 and usage is questionable, upstream is dead. Reproducible: Always
What is it actually using md5 for? It's fine in some contexts.
The man page mentions POP3 authentication. Not sure if this is a problem in practice since I think you'll have a hard time finding a POP3 server that still allows non-tls authentication.
I was aiming for last riting the package and the security bug was just the cause I needed, tbh. The packages from https://tigr.net/afterstep/applets/ are all stale, most of them maintainer needed, last update about two decades ago. And than this vulnerability.
I understand the intent, but I feel like that's kind of abuse of the procedure. If you think there's an actual vulnerability, please state it clearly. Using MD5 *anywhere in the program* doesn't make it vulnerable - it depends on how it's used and what for.