diff options
| -rw-r--r-- | imap/src/c-client/imap4r1.c | 12 | ||||
| -rw-r--r-- | pith/pine.hlp | 10 |
2 files changed, 20 insertions, 2 deletions
diff --git a/imap/src/c-client/imap4r1.c b/imap/src/c-client/imap4r1.c index 2233da6e..4991f85e 100644 --- a/imap/src/c-client/imap4r1.c +++ b/imap/src/c-client/imap4r1.c @@ -1,7 +1,7 @@ /* * Copyright 2016-2020 Eduardo Chappa * - * Last Edited: Jan 26, 2020 Eduardo Chappa <alpine.chappa@gmx.com> + * Last Edited: Jun 18, 2020 Eduardo Chappa <alpine.chappa@yandex.com> * */ /* ======================================================================== @@ -891,6 +891,16 @@ MAILSTREAM *imap_open (MAILSTREAM *stream) return NIL; /* lost during greeting */ } + /* STARTTLS is not allowed in PREAUTH state */ + if (LOCAL->netstream && !strcmp (reply->key,"PREAUTH")){ + sslstart_t stls = (sslstart_t) mail_parameters (NIL,GET_SSLSTART,NIL); + if (!LOCAL->gotcapability) imap_capability (stream); + if (LOCAL->netstream + && stls && LOCAL->cap.starttls && !mb.sslflag && !mb.notlsflag && mb.tlsflag){ + mm_log("STARTTLS not allowed on PREAUTH state. Closing Connection", ERROR); + return NIL; + } + } /* if connected and not preauthenticated */ if (LOCAL->netstream && strcmp (reply->key,"PREAUTH")) { sslstart_t stls = (sslstart_t) mail_parameters (NIL,GET_SSLSTART,NIL); diff --git a/pith/pine.hlp b/pith/pine.hlp index 850a84b5..eb20666f 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 450 2020-06-17 12:40:13 +Alpine Commit 451 2020-06-18 03:25:21 ============= h_news ================= <HTML> <HEAD> @@ -243,6 +243,14 @@ problems you find with this release. Bugs addressed: <UL> + <LI> Security Bug: Alpine can be configured to start a secure connection using /tls + on an insecure connection. However, if the connection is PREAUTH, Alpine + will not upgrade the connection to a secure connection, because a client + must not issue a STARTTLS to a server that supports it in authenticated + state. This makes Alpine continue to use an insecure connection with the + server, exposing user data. Reported by Damian Poddebniak and Fabian + Ising from Münster University of Applied Sciences. + <LI> Selecting by subject might not copy the subject of the current message to the selection text correctly. Reported by Iosif Fettich. |