fetchmail -- insecure APOP authentication

Matthias Andree reports:

The POP3 standard, currently RFC-1939, has specified an optional,
MD5-based authentication scheme called “APOP” which no longer
should be considered secure.
Additionally, fetchmail’s POP3 client implementation has been
validating the APOP challenge too lightly and accepted random
garbage as a POP3 server’s APOP challenge. This made it easier
than necessary for man-in-the-middle attackers to retrieve by
several probing and guessing the first three characters of the
APOP secret, bringing brute forcing the remaining characters well
within reach.