Your submission was sent successfully! Close

CVE-2007-1558

Published: 16 April 2007

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

Priority

Unknown

Status

Package Release Status
fetchmail
Launchpad, Ubuntu, Debian
dapper
Released (6.3.2-2ubuntu2.2)
edgy
Released (6.3.4-1ubuntu4.2)
feisty
Released (6.3.6-1ubuntu2.1)
upstream Needs triage

iceape
Launchpad, Ubuntu, Debian
dapper Does not exist

edgy Does not exist

feisty Does not exist

upstream Needs triage

im
Launchpad, Ubuntu, Debian
dapper Ignored

edgy Ignored

feisty Ignored

upstream Needs triage

mew
Launchpad, Ubuntu, Debian
dapper Ignored

edgy Ignored

feisty Ignored

upstream Needs triage

mew-beta
Launchpad, Ubuntu, Debian
dapper Ignored

edgy Ignored

feisty Ignored

upstream Needs triage

mozilla-thunderbird
Launchpad, Ubuntu, Debian
dapper
Released (1.5.0.13-0ubuntu0.6.06)
edgy
Released (1.5.0.13-0ubuntu0.6.10)
feisty
Released (1.5.0.13-0ubuntu0.7.04)
upstream Needs triage

wl
Launchpad, Ubuntu, Debian
dapper Ignored

edgy Ignored

feisty Ignored

upstream Needs triage

wl-beta
Launchpad, Ubuntu, Debian
dapper Ignored

edgy Ignored

feisty Ignored

upstream Needs triage

Notes

AuthorNote
kees
This is a partial attack, not really feasible, so it okay to ignore.
jdstrand
possible fetchmail patch at http://www.securityfocus.com/archive/1/464477/30/0/threaded

References