* Security Bug: Alpine can be configured to start a secure connection using /tls
commit000edd9036b6aea5e6a06900ecd6c58faec665ab
authorEduardo Chappa <chappa@washington.edu>
Thu, 18 Jun 2020 09:25:29 +0000 (18 03:25 -0600)
committerEduardo Chappa <chappa@washington.edu>
Thu, 18 Jun 2020 09:25:29 +0000 (18 03:25 -0600)
treecb0e40cf17e1c6e3b1f69cb02fe1ef364e605d1a
parent5cba97d032b16b89a6f73d5841e55bf13672f921
  * Security Bug: Alpine can be configured to start a secure connection using /tls
    on an insecure connection. However, if the connection is PREAUTH, Alpine
    will not upgrade the connection to a secure connection, because a client
    must not issue a STARTTLS to a server that supports it in authenticated
    state. This makes Alpine continue to use an insecure connection with the
    server, exposing user data. Reported by Damian Poddebniak and Fabian
    Ising, from Münster University of Applied Sciences.
imap/src/c-client/imap4r1.c
pith/pine.hlp