* Security Bug: Alpine can be configured to start a secure connection using /tls

    on an insecure connection. However, if the connection is PREAUTH, Alpine
    will not upgrade the connection to a secure connection, because a client
    must not issue a STARTTLS to a server that supports it in authenticated
    state. This makes Alpine continue to use an insecure connection with the
    server, exposing user data. Reported by Damian Poddebniak and Fabian
    Ising, from Münster University of Applied Sciences.

1 files changed, 9 insertions, 1 deletions

diff --git a/pith/pine.hlp b/pith/pine.hlp
index 850a84b5..eb20666f 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any
 reasonable place to be called from.
 Dummy change to get revision in pine.hlp
 ============= h_revision =================
-Alpine Commit 450 2020-06-17 12:40:13
+Alpine Commit 451 2020-06-18 03:25:21
 ============= h_news =================
 <HTML>
 <HEAD>
@@ -243,6 +243,14 @@ problems you find with this release.
 Bugs addressed:
 
 <UL>
+ <LI> Security Bug: Alpine can be configured to start a secure connection using /tls
+      on an insecure connection. However, if the connection is PREAUTH, Alpine
+      will not upgrade the connection to a secure connection, because a client
+      must not issue a STARTTLS to a server that supports it in authenticated
+      state. This makes Alpine continue to use an insecure connection with the
+      server, exposing user data. Reported by Damian Poddebniak and Fabian
+      Ising from Münster University of Applied Sciences.
+
    <LI> Selecting by subject might not copy the subject of the current message
      to the selection text correctly. Reported by Iosif Fettich.