* Security Bug: Alpine can be configured to start a secure connection using /tls
commit000edd9036b6aea5e6a06900ecd6c58faec665ab
authorEduardo Chappa <chappa@washington.edu>
Thu, 18 Jun 2020 09:25:29 +0000 (18 03:25 -0600)
committerEduardo Chappa <chappa@washington.edu>
Thu, 18 Jun 2020 09:25:29 +0000 (18 03:25 -0600)
treecb0e40cf17e1c6e3b1f69cb02fe1ef364e605d1a
parent5cba97d032b16b89a6f73d5841e55bf13672f921
  * Security Bug: Alpine can be configured to start a secure connection using /tls
    on an insecure connection. However, if the connection is PREAUTH, Alpine
    will not upgrade the connection to a secure connection, because a client
    must not issue a STARTTLS to a server that supports it in authenticated
    state. This makes Alpine continue to use an insecure connection with the
    server, exposing user data. Reported by Damian Poddebniak and Fabian
    Ising, from M√ľnster University of Applied Sciences.
imap/src/c-client/imap4r1.c
pith/pine.hlp