From 000edd9036b6aea5e6a06900ecd6c58faec665ab Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Thu, 18 Jun 2020 03:25:29 -0600 Subject: * Security Bug: Alpine can be configured to start a secure connection using /tls on an insecure connection. However, if the connection is PREAUTH, Alpine will not upgrade the connection to a secure connection, because a client must not issue a STARTTLS to a server that supports it in authenticated state. This makes Alpine continue to use an insecure connection with the server, exposing user data. Reported by Damian Poddebniak and Fabian Ising, from Münster University of Applied Sciences. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pith/pine.hlp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'pith') diff --git a/pith/pine.hlp b/pith/pine.hlp index 850a84b5..eb20666f 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -140,7 +140,7 @@ with help text for the config screen and the composer that didn't have any reasonable place to be called from. Dummy change to get revision in pine.hlp ============= h_revision ================= -Alpine Commit 450 2020-06-17 12:40:13 +Alpine Commit 451 2020-06-18 03:25:21 ============= h_news ================= @@ -243,6 +243,14 @@ problems you find with this release. Bugs addressed: