Package: fetchmail
Version: 6.3.22-2
Severity: important
Tags: security

The --sslfingerprint accepts only MD5 fingerprints. MD5 should be considered cryptographically broken. Please at least add the possibility to specify SHA-1 fingerprints.

(As a side note, the manpage says that MD5 "is the default format OpenSSL uses", which hasn't been true since OpenSSL 0.9.8.)


-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages fetchmail depends on:
ii  adduser           3.113+nmu3
ii  debianutils       4.3.4
ii  libc6             2.17-0experimental2
ii  libcomerr2        1.42.5-1
ii  libgssapi-krb5-2  1.10.1+dfsg-3
ii  libkrb5-3         1.10.1+dfsg-3
ii  libssl1.0.0       1.0.1c-4
ii  lsb-base          4.1+Debian9

--
Jakub Wilk


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to