"The APOP protocol allows remote attackers to guess the first 3 characters of a
password via man-in-the-middle (MITM) attacks that use crafted message IDs and
MD5 collisions. NOTE: this design-level issue potentially affects all products
that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4)
According to upstream, fixed in 2.9.1.
Thanks for reporting. Fixed and pushed.