|Reported by:||Owned by:|
This is an important security release fixing two issues.
The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being "saved" to an attacker's server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server.
Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix.
The second fix is for a problem with GnuTLS certificate prompting. "Rejecting" an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue.