28 May 1997, rev. 15 July 1998
This is an attempt to alleviate some confusion with respect to recent security concerns related to IMAP. There have been some reports that there is a security vulnerability in IMAP (the Internet Message Access Protocol) itself. This is not the case. There is a security vulnerability in specific implementations of IMAP and POP servers. However, not all IMAP and POP software implementations, and certainly not the protocols themselves, suffer from this vulnerability.
This security vulnerability has been detected in the c-client library used in the University of Washington (UW) IMAP and POP servers.
A CERT advisory, which also contains security information about non-UW implementations of POP and IMAP servers, can be found at http://www.cert.org/advisories/CA-1997-09.html.