-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
NEWS
2125 lines (1861 loc) · 108 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Fetchmail Release Notes
=======================
This file is in Unicode charset with UTF-8 encoding.
All dates are in Universal Time unless otherwise noted.
(The `lines' figures total .c, .h, .l, and .y files under version control.
Abbreviations in parentheses are the maintainers who committed the respective
change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
(There are no plans to remove features from a 6.4.X release, but they may be
removed from a 6.5.0 or newer release.)
* Future fetchmail releases may require compilers and operating systems
that adhere to standards issued 2011 or later.
(Currently, C89 and Single Unix Specification V2 should suffice.)
* Future fetchmail releases may tighten up security and lean towards
it a bit more by, for instance, implementing recommendations from
RFC-7817 or RFC-8314. This may, for instance, require that TLS v1.1
or newer be used.
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
are based on assumptions that are rarely met in practice, somewhat defective,
deprecated and may be removed from a future fetchmail version.
They have never supported IPv6 (including IPv6-mapped IPv4).
Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
version as they are not reasonably portable across operating systems.
* POP2 is obsolete, support will be removed from a future fetchmail version.
* IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a
future fetchmail version.
* RPOP is obsolete, support will be removed from a future fetchmail release.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
the Received header was never meant to be machine-readable, the format varies
widely, and various other differences in behavior make parsing Received an
unreliable undertaking. The envelope option as such will remain though, in
order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
See also <http:https://home.pages.de/~mandree/mail/multidrop>.
* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed
from a future fetchmail release, because it makes fetchmail's behavior
inconsistent and confusing.
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
* Kerberos 5 support may be removed from a future fetchmail release.
* The --principal option may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
removed or operation on such systems may be suboptimal for future releases.
This means that fetchmail may only continue to work on C99 and POSIX 2001
based systems.
* The maintainer may migrate fetchmail to C++ with STL or C#, and impose further
requirements (dependencies), such as Boost or other class libraries.
* The softbounce option default will change to "false" in the next release.
* The --bsmtp - mode of operation may be removed in a future release.
* Given that OpenSSL is severely underdocumented, and needs license exceptions,
fetchmail may switch to a different SSL library.
* SSLv3 support may be removed from a future fetchmail release. It has been
obsolete for many years and found insecure. Use TLS.
* Fetchmailconf is deprecated and will be removed from a future release.
* Fetchmail does not guarantee compatibility with EOL OpenSSL versions. Support
for end-of-life OpenSSL versions may be removed even from patchlevel releases.
--------------------------------------------------------------------------------
fetchmail-6.4.6 (released 2020-05-29, 27596 LoC):
## TRANSLATION UPDATE, with thanks to the translator:
* eo: Felipe Castro [Esperanto]
--------------------------------------------------------------------------------
fetchmail-6.4.5 (released 2020-05-07, 27596 LoC):
## REGRESSION FIX:
* fetchmail 6.4.0 and 6.4.1 changed the resolution of the home directory
in a way that requires SUSv4 semantics of realpath(), which leads to
'Cannot find absolute path for... directory' error messages followed by aborts
on systems where realpath() follows strict SUSv2 semantics and returns
EINVAL if the 2nd argument is NULL.
On such systems, for instance, Solaris 10, fetchmail requires PATH_MAX to be
defined, and will then work again. Regression reported by David Hough.
On systems that neither provide auto-allocation semantics for realpath(),
nor PATH_MAX, fetchmail will print this error and abort. Such systems
are unsupported, see README.
## CHANGES:
* Add a test program fm_realpath, and a t.realpath script, neither to be
installed. These will test resolution of the current working directory.
## TRANSLATION UPDATES in reverse alphabetical order of language codes,
## with my thanks to the translators:
* zh_CN: Boyuan Yang [Chinese (simplified)]
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
* ja: Takeshi Hamasaki [Japanese]
* fr: Frédéric Marchal [French]
* cs: Petr Pisar [Czech]
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used, for instance,
for mailbox sizes, and misreports sizes of 2 GibiB and beyond.
Fixing this requires C89 compatibility to be relinquished.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
--------------------------------------------------------------------------------
fetchmail-6.4.4 (released 2020-04-26, 27530 LoC):
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATOR:
* ja: Takeshi Hamasaki [Japanese]
--------------------------------------------------------------------------------
fetchmail-6.4.3 (released 2020-04-05, 27530 LoC):
## BUGFIXES:
* Plug memory leaks when parts of the configuration (defaults, rcfile, command
line) override one another.
* fetchmail terminated the placeholder command string too late and included
garbage from the heap at the end of the string. Workaround: don't use place-
holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging
Gitlab merge request !5 in order to fix an input buffer overrun.
Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
Reported by Stefan Thurner, Gitlab issue #16.
* Fetchmail now checks for errors when trying to read the .idfile,
Gitlab issue #3.
* Fetchmail's error messages that reports that the defaults entry isn't the
first was made more precise. It could be misleading if there was a poll or
skip statement before the defaults.
## CHANGES:
* Fetchmail documentation was updated to require OpenSSL 1.1.1.
OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019.
Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that
distributors backport security fixes as the need arises.
Fetchmail will also warn if another SSL library that is API-compatible
with OpenSSL lacks TLS v1.3 support.
* If the trust anchor is missing, fetchmail refers the user to README.SSL.
## INTERNAL CHANGES:
* The AC_DECLS(getenv) check was removed, its only user was broken and not
accounting for that AC_DECLS always defines HAVE_DECL_... to 0 or 1, so
fetchmail never declared a missing getenv() symbol (it was testing with
#ifdef). Remove the backup declaration. getenv is mandated by SUSv2 anyways.
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATORS:
* sq: Besnik Bleta [Albanian]
* zh_CN: Boyuan Yang [Chinese (simplified)]
* pl: Jakub Bogusz [Polish]
* cs: Petr Pisar [Czech]
* fr: Frédéric Marchal [French]
* sv: Göran Uddeborg [Swedish]
* eo: Felipe Castro [Esperanto]
--------------------------------------------------------------------------------
fetchmail-6.4.2 (released 2020-02-14, 27473 LoC):
## BREAKING CHANGES:
* fetchmailconf now supports Python 3 and currently requires the "future"
package, see https://pypi.org/project/future/.
* fetchmailconf: The minimum supported version is now Python 2.7.13, but it is
recommended to use at least 2.7.16 (due to its massive SSL updates).
Older Python versions may check SSL certificates not strictly enough,
which may cause fetchmail to complain later, if the certificate verify fails.
* fetchmailconf now autoprobes SSL-wrapped connections (ports 993 and 995 for
IMAP and POP3) as well and by preference.
* fetchmailconf now defaults newly created users to "ssl" if either of the
existing users sets ssl, or if the server has freshly been probed and
found supporting ssl.
There is a caveat: adding a user to an existing server without probing it
again may skip adding ssl. (This does not prevent STARTTLS.)
## BUG FIXES:
* Fix three bugs in fetchmail.man (one unterminated string to .IP macro, one
line that ran into a .PP macro, .TH date format), and remove one .br request
from inside the table, which is unsupported by FreeBSD 12's mandoc(1)
formatter. FreeBSD Bug#241032, reported by Helge Oldach.
* Further man page fixes and additions by Chris Mayo and Gregor Zattler.
* When evaluating the need for STARTTLS in non-default configurations (SSL
certificate validation turned off), fetchmail would only consider --sslproto
tls1 as requiring STARTTLS, now all non-empty protocol versions do.
* fetchmailconf now properly writes "no sslcertck" if sslcertck is disabled.
* fetchmailconf now catches and reports OS errors (including DNS errors) when
autoprobing. Reported as Gitlab issue #12 by Sergey Alirzaev.
* fetchmailconf received a host of other bugfixes, see the Git commit log.
## CHANGES:
* Make t.smoke more robust and use temporary directory as FETCHMAILHOME, to make
sure that the home directory resolves for the user running the test suite
even if the environment isn't perfect. Reported by Konstantin Belousov,
analysed by Corey Halpin, FreeBSD Bug#240914.
## UPDATED TRANSLATION - THANKS TO:
* zh_CN: Boyuan Yang [Chinese (simplified)]
--------------------------------------------------------------------------------
fetchmail 6.4.1 (released 2019-09-28, 27473 LoC):
## REGRESSION FIXES:
* The bug fix Debian Bug#941129 was incomplete and caused
+ a regression in the default file locations, so that fetchmail was no longer
able to find its configuration files in some situations.
Reported by Cy Schubert, Christian Ebert.
+ a regression under _FORTIFY_SOURCE where PATH_MAX > minimal _POSIX_PATH_MAX.
--------------------------------------------------------------------------------
fetchmail 6.4.0 (released 2019-09-27, 27429 LoC):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.
## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION
* Fetchmail no longer supports SSLv2.
* Fetchmail no longer attempts to negotiate SSLv3 by default,
even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with
STARTTLS). If the OpenSSL version used at build and run-time supports these
versions, --sslproto ssl3 and --sslproto ssl3+ can be used to re-enable SSLv3.
Doing so is discouraged because the SSLv3 protocol is broken.
Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843.
While this change is supposed to be compatible with common configurations,
users may have to and are advised to change all explicit --sslproto ssl2
(change to newer protocols required), --sslproto ssl3, --sslproto tls1 to
--sslproto auto, so that they can benefit from TLSv1.1 and TLSv1.2 where
supported by the server.
The --sslproto option now understands the values auto, ssl3+, tls1+, tls1.1,
tls1.1+, tls1.2, tls1.2+, tls1.3, tls1.3+ (case insensitively), see CHANGES
below for details.
* Fetchmail defaults to --sslcertck behaviour. A new option --nosslcertck to
override this has been added, but may be removed in future fetchmail versions
in favour of another configuration option that makes the insecurity in using
this option clearer.
## SECURITY FIXES
* Fetchmail prevents buffer overruns in GSSAPI authentication with user names
beyond c. 6000 characters in length. Reported by Greg Hudson.
## CHANGED REQUIREMENTS
* fetchmail 6.4.0 is written in C99 and requires a SUSv3 (Single Unix
Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with
XSI extension) compliant system. For now, a C89 compiler should also work
if the system is SUSv3 compliant.
In particular, older fetchmail versions had workaround for several functions
standardized in the Single Unix Specification v3, these have been removed.
The trio/ library has been removed from the distribution.
## CHANGES
* fetchmail 6.3.X is unsupported.
* fetchmail now configures OpenSSL support by default.
* fetchmail now requires OpenSSL v1.0.2 or newer.
* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23).
* --sslproto tls1.1+, tls1.2+, and tls1.3+ are now supported for
auto-negotiation with a minimum specified TLS protocol version, and --sslproto
tls1.1, --sslproto tls1.2 and --sslproto tls1.3 to force the specified TLS
protocol version. Note that tls1.3 requires OpenSSL v1.1.1 or newer.
* Fetchmail now detects if the server hangs up prematurely during SSL_connect()
and reports this condition as such, and not just as SSL connection failure.
(OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert).
* A foreground fetchmail can now accept a few more options while another copy is
running in the background.
* fetchmail now handles POP3 --keep UID lists more efficiently, by using Rainer
Weikusat's P-Tree implementation. This reduces the complexity for handling
a large UIDL from O(n^2) to O(n log n) and becomes noticably faster with
thousands of kept messages.
(IMAP does not currently track UIDs and is unaffected.)
At the same time, the UIDL emulation code for deficient servers has been
removed. It never worked really well. Servers that do not implement the
optional UIDL command only work with --fetchall option set, which in itself is
incompatible with the --keep option (it would cause message duplication).
* fetchmail, when setting up TLS connections, now uses SSL_set_tlsext_host_name()
to set up the SNI (Server Name Indication). Some servers (for instance
googlemail) require SNI when using newer SSL protocols.
* Fetchmail now sets the expected hostname through OpenSSL 1.0.2's new
X509_VERIFY_PARAM_set1_host() function to enable OpenSSL's native certificate
verification features.
* fetchmail will drop the connection when fetching with IMAP and receiving an
unexpected untagged "* BYE" response, to work around certain faulty servers.
* The FETCHMAIL_POP3_FORCE_RETR environment variable is now documented,
it forces fetchmail, when talking POP3, to always use the RETR command,
even if it would otherwise use the TOP command.
* Fetchmail's configure stage will try to query pkg-config or pkgconf for libssl
and libcrypto, in case other system use .pc files to document specific library
dependencies. (contributed by Fabrice Fontaine, GitLab merge request !14.)
* The gethostbyname() API calls and compatibility functions have been removed.
* These translations are shipped but not installed by default because
they have less than 500 translated messages out of 714: el fi gl pt_BR sk tr
-> Greek, Finnish, Galician, Brazilian Portuguese, Slovak, Turkish.
* Fetchmail now refuses delivery if the MDA option contains single-quoted
expansions.
## FIXES
* Fix a typo in the FAQ. Submitted by David Lawyer, Debian Bug#706776.
* Do not translate header tags such as "Subject:". Reported by Gonzalo Pérez de
Olaguer Córdoba, Debian Bug#744907.
* Convert most links from berlios.de to sourceforge.net.
* Report error to stderr, and exit, if --idle is combined with multiple
accounts.
* Point to --idle from GENERAL OPERATION to clarify --idle and multiple
mailboxes do not mix. In response to Jeremy Chadwick's trouble 2014-11-19,
fetchmail-users mailing list.
* Fix SSL-enabled build on systems that do not declare SSLv3_client_method(),
or that #define OPENSSL_NO_SSL3 inside #include <openssl/ssl.h>
Related to Debian Bug#775255. Fixes Debian Bug #804604.
* Version report lists -SSLv3 on SSL-enabled no-ssl3 builds.
* Fetchmail no longer adds a NUL byte to the username in GSSAPI authentication.
This was reported to break Kerberos-based authentication with Microsoft
Exchange 2013 by Greg Hudson.
* Set umask properly before writing the .fetchids file, to avoid failing the
security check on the next run. Reported by Fabian Raab,
Fixes Debian Bug#831611.
* When forwarding by LMTP, also check antispam response code when collecting
the responses after the CR LF . CR LF sequence at the end of the DATA phase.
(Contributed by Evil.2000, GitLab merge request !12.)
* fetchmail will not try other protocols after a socket error. This avoids
mismatches of how different prococols see messages as "seen" and re-fetches
of known mail. (Fix contributed by Lauri Nurmi, GitLab Merge Request !10.)
* fetchmail no longer reports "System error during SSL_connect(): Success."
Fixes Debian Bug#928916, reported by Paul Kimoto.
* fetchmailconf would ignore Edit or Delete actions on the first (topmost)
item in a list (no matter if server list, user list, ...).
* The mimedecode feature now properly detects multipart/mixed-type matches, so
that quoted-printable-encoded multipart messages can get decoded.
(Regression in 5.0.0 on 1999-03-27, as a side effect of a PGP-mimedecode fix
attributed to Henrik Storner.)
* FETCHMAILHOME can now safely be a relative path, which will be qualified
through realpath(). Previously, it had to be absolute in daemon mode.
Reported by Alex Andreotti, Debian Bug#941129.
## UPDATED TRANSLATIONS - THANKS TO:
* CS: Petr Pisar <[email protected]> [Czech]
* EO: Felipe Castro <[email protected]> [Esperanto]
* FR: Frédéric Marchal <[email protected]> [French]
* JP: Takeshi Hamasaki <[email protected]> [Japanese]
* PL: Jakub Bogusz <[email protected]> [Polish]
* SV: Göran Uddeborg <[email protected]> [Swedish]
--------------------------------------------------------------------------------
fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
# CRITICAL BUG FIX for setups using "mimedecode":
* The mimedecode feature failed to ship the last line of the body if it was
encoded as quoted-printable and had a MIME soft line break in the very last
line. Reported by Lars Hecking in June 2011.
Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
before release 4.4.1 through code contributed by Henrik Storner.
Workaround for older releases: do not use mimedecode feature.
Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
but it was not.
Fixes Launchpad Bug#1171818.
fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):
# BUG FIXES
* Fix a memory leak in out-of-memory error condition while handling plugins.
Report and patch by John Beck (found with Parfait static code analyzer).
* Fix a NULL pointer dereference in out-of-memory error condition while handling
plugins.
Report and patch by John Beck (found with Parfait static code analyzer).
# CHANGES
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
* The fetchmail manual page no longer claims that MD5 were the default OpenSSL
hash format (for use with --sslfingerprint). Reported by Jakob Wilk,
PARTIAL fix for Debian Bug#700266.
* The fetchmail manual page now refers the user to --softbounce from the
SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht.
# WORKAROUNDS
* Older systems that provide the older RFC-2553 implementation of getaddrinfo,
rather than the current RFC-3493, and systems that do not provide this
getaddrinfo() interface at all and thus use the replacement functions from
libesmtp/getaddrinfo.?, might return EAI_NODATA when a host is registered in
DNS as MX or similar, but without A or AAAA records. Handle this situation
when checking for multidrop aliases and treat EAI_NODATA the same as
EAI_NONAME, i. e. name cannot be resolved.
The proper fix, however, is to upgrade the operating system.
# TRANSLATION UPDATES
[cs] Czech, by Petr Pisar
[da] Danish, by Joe Hansen
[de] German
[eo] Esperanto, by Sian Mountbatten and Felipe Castro
[fr] French, by Frédéric Marchal
[ja] Japanese, by Takeshi Hamasaki
[pl] Polish, by Jakub Bogusz
[sv] Swedish, by Göran Uddeborg
[vi] Vietnamese, by Trần Ngọc Quân
fetchmail-6.3.24 (released 2012-12-23, 26108 LoC):
# CRITICAL AND REGRESSION FIXES
* Plug a memory leak in OpenSSL's certificate verification callback.
This would affect fetchmail configurations running with SSL in daemon mode
more than one-shot runs.
Reported by Erik Thiele, and pinned by Dominik Heeg,
fixes Debian Bug #688015.
This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29)
when support for subjectAltName was added through a patch by Roland
Stigge, submitted as Debian Bug#201113.
* The --logfile option now works again outside daemon mode, reported by Heinz
Diehl. The documentation that I had been reading was inconsistent with the
code, and only parts of the manual page claimed that --logfile was only
effective in daemon mode.
fetchmail-6.3.23 (released 2012-12-10, 26106 LoC):
# REGRESSION FIXES
* Fix compilation with OpenSSL implementations before 0.9.8m that lack
SSL_CTX_clear_options. Patch by Earl Chew.
Note that the use of older OpenSSL versions with fetchmail is unsupported and
*not* recommended.
# BUG FIXES
* Fix combination of --plugin and -f -. Patch by Alexander Zangerl,
to fix Debian Bug#671294.
* Clean up logfile vs. syslog handling, and in case logfile overrides
syslog, send a message to the latter stating where logging goes.
# CHANGES
* The build process can now be made a bit more silent and concise through
./configure --enable-silent-rules, or by adding "V=0" to the make command.
# WORKAROUNDS
* Make Maillennium POP3 workarounds less specific, to encompass
Maillennium POP3/UNIBOX (Maillennium V05.00c++). Reported by Eddie
via fetchmail-users mailing list, 2012-10-13.
# TRANSLATION UPDATES
[cs] Czech, by Petr Pisar
[da] Danish, by Joe Hansen
[de] German
[fr] French, Frédéric Marchal
[ja] Japanese, Takeshi Hamasaki
[pl] Polish, by Jakub Bogusz
[sv] Swedish, by Göran Uddeborg
[vi] Vietnamese, Trần Ngọc Quân
fetchmail-6.3.22 (released 2012-08-29, 26077 LoC):
# SECURITY FIXES
* for CVE-2012-3482:
NTLM: fetchmail mistook an error message that the server sent in response to
an NTLM request for protocol exchange, tried to decode it, and crashed while
reading from a bad memory location.
Also, with a carefully crafted NTLM challenge packet sent from the server, it
would be possible that fetchmail conveyed confidential data not meant for the
server through the NTLM response packet.
Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
NTLM authentication in case of error.
See fetchmail-SA-2012-02.txt for further details.
Reported by J. Porter Clark.
* for CVE-2011-3389:
SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
against a certain kind of attack against cipher block chaining initialization
vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
Whether this creates an exploitable situation, depends on the server and the
negotiated ciphers.
As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
NOTE that this can cause connections to certain non-conforming servers to
fail, in which case you can set the environment variable
FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting
fetchmail to re-instate the compatibility option at the expense of security.
Reported by Apple Product Security.
For technical details, refer to <http:https://www.openssl.org/~bodo/tls-cbc.txt>.
See fetchmail-SA-2012-01.txt for further details.
# BUG FIX
* The Server certificate: message in verbose mode now appears on stdout like the
remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
* The GSSAPI-related autoconf code now matches gssapi.c better, and uses
a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
# CHANGES
* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
reference it (to fix the build) and if configured, print a run-time error
that the OS does not support SSLv2. Fixes Debian Bug #622054,
but note that that bug report has a more thorough patch that does away with
SSLv2 altogether.
* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
was dropped). The Creative Commons address was updated.
* The Python-related Makefile.am parts were simplified to avoid an automake
1.11.X bug around noinst_PYTHON, Automake Bug #10995.
* Configuring fetchmail without SSL now triggers a configure warning,
and asks the user to consider running configure --with-ssl.
# WORKAROUND
* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
a header request, in the face of message corruption. fetchmail now treats
these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed."
without any header in response to a header request for meeting reminder
messages (with a "meeting.ics" attachment). fetchmail now treats these as
transient errors. Report by John Connett, Patch by Sunil Shetye.
# TRANSLATION UPDATES
* [cs] Czech, by Petr Pisar
* [de] German
* [fr] French, by Frédéric Marchal
* [ja] Japanese, by Takeshi Hamasaki
* [pl] Polish, by Jakub Bogusz
* [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you!
* [vi] Vietnamese, by Trần Ngọc Quân
fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):
# CRITICAL BUG FIX
* The IMAP client no longer inserts NUL bytes into the last line of a message
when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt.
As a side effect of the fix, and in order to avoid a full rewrite, fetchmail
will now CRLF-terminate the last line fetched through IMAP, even if it is
originally not terminated by LF or CRLF. This bears no relevance if your
messages end up in mbox, but adds line termination for storages (like Maildir)
that do not require that the last line be LF- or CRLF-terminated.
# CONTRIB/ addition
* There is a patch against fetchnews's source, contrib/rawlog.patch, that can
log (and hexdump non-printing characters) raw socket data to a file. It proved
useful to debug Antoine's bug described above.
fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
# SECURITY BUG FIXES
* CVE-2011-1947:
STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
set timeout (default five minutes) now. This was reported missing, with
observed fetchmail freezes beyond a week, by Thomas Jarosch.
SSL-wrapped connections were unaffected by this timeout, so users of older
versions can force ssl-wrapped connections -- if supported by the server --
with the --ssl command line or ssl rcfile option.
See fetchmail-SA-2011-01.txt for further details.
# BUG FIXES
* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
new messages and most of the range searches result in nothing. Instead, split
the long response to make the IMAP driver think that there are multiple lines
of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
there are too many old messages, the logs just get filled without any real
activity. (Sunil Shetye) (suggested by Yunfan Jiang)
* Build: fetchmail now always uses its own MD5 implementation rather than trying
to find a system library with matched header. The library and header variants
found on systems are too diverse, and the code size saving is not worth any
more wasted user or programmer time.
# CHANGES
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
there is no portable way to configure actual timeouts for this mode, and some
systems only support a system-wide timeout setting. fetchmail does not
attempt to tune the time spans of keepalive mode.
# TRANSLATION UPDATES
[cs] Chech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German (Matthias Andree)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
# ERRATUM NOTICE ISSUED
* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.
# BUG FIXES
* When specifying multiple local multidrop lists, do not lose wildcard flag.
(Affects "user foo is bar baz * is joe here")
* In multidrop configurations, an asterisk can now appear anywhere in the list
of local users, not just at the end.
* In multidrop mode, header parsing is now more verbose in -vv mode, so that it
becomes possible to see which header is used.
* Make --antispam work from command line (these used to work in rcfiles).
Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
documents. Skip validating Mailbox-Names-UTF7.html. Several systems have
broken XHTML 1.1 DTD installations that jeopardize the build.
Reported by Mihail Nechkin against FreeBSD port.
Workaround for 6.3.18: build in a separate directory, i. e:
mkdir build && cd build && ../configure --options-go-here
* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
and Derek Simkowiak via the fetchmail-users@ mailing list.
* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
server capabilities do not show support for upgradation to TLS.
To use this, configure --sslproto tls1. (Sunil Shetye)
* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
Yasin Malli to fetchmail-users@ 2010-12-10.
Note that fetchmail continues to expect literals as FETCH response for now.
# DOCUMENTATION
* The manual page now links to IANA for GSSAPI service names.
# TRANSLATION UPDATES
[cs] Czech (Petr Pisar)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[pl] Polish (Jakub Bogusz)
fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
* Fetchmail now only accepts wildcard certificate common names and subject
alternative names if they start with "*.". Previous versions would accept
wildcards even if no period followed immediately.
* Fetchmail now disallows wildcards in certificates to match domain literals
(such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
The test is overly picky and triggers if the pattern (after skipping the
initial wildcard "*") or domain consists solely of digits and dots, and thus
matches more than needed.
* Fetchmail now disallows wildcarding top-level domains.
# CRITICAL BUG FIXES AND REGRESSION FIXES
* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
functions, as an effect of an undocumented Solaris MD5 fix.
This caused all MD5-related functions to malfunction if, for instance,
libmd5.so was installed on other operating systems as part of libwww on
machines where long isn't 32-bits, i. e. usually on 64-bit computers.
Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
--sslfingerprint was specified. This is an omission from an SSL usability
change made in 6.3.17.
Fixes Debian Bug#580796 reported by Roland Stigge.
* Fetchmail will now apply timeouts to the authentication stage.
This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
Reported missing by Thomas Jarosch.
* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
errors, such as no or unsuitable credentials.
It now sends an asterisk on a line by its own, as required in SASL.
This fixes protocol synchronization issues that cause Authentication
failures, often observed with kerberized MS Exchange servers.
Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.
# BUG FIXES
* Fetchmail will no longer print connection attempts and errors for one host
in "silent" and "normal" logging modes, unless all connections fail. This
should reduce irritation around refused-connection logging if services are
only on an IPv4 socket if the host also supports IPv6. Often observed as
connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
all connect errors and only report them if all of them fail.
* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
credentials. However, if GSSAPI authentication is requested explicitly,
fetchmail will always try it.
* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
* The manual page clearly states that --principal is for Kerberos 4 only, not
for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
# CHANGES
* When encountering incorrect headers, fetchmail will refer to the bad-header
option in the manpage.
Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
* Fetchmail now decodes and reports GSSAPI status codes upon errors.
* Fetchmail now autoprobes NTLM also for POP3.
* The Fetchmail FAQ has a new item #R15 on authentication failures.
# INTERNAL CHANGES
* The common NTLM authentication code was factored out from pop3.c and imap.c.
# TRANSLATION UPDATES
[zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
# SECURITY FIX
* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
external input (mail headers and UID). When a multi-character locale (such as
UTF-8) was in use, this could cause memory exhaustion and thus a denial of
service, because fetchmail's report.c functions assumed that non-success of
[v]snprintf was due to insufficient buffer size allocation. It would then
repeatedly reallocate a larger buffer and fail formatting again.
See fetchmail-SA-2010-02.txt.
# FEATURES
* Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
file (a file that contains trusted CA certificates). Since these bundled CA
files do not require c_rehash to be run, they are easier to use and immune to
OpenSSL library updates that affect the hash function.
* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
environment variable to force loading the default SSL CA certificate
locations even if --sslcertfile or --sslcertpath is used.
If neither option is in effect, fetchmail loads the default locations.
# REGRESSION FIX
* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
run control file in certain circumstances. Fixes BerliOS bug #14257.
Patch by Michael Banack. This fixes a regression introduced before 6.3.0.
# BUG FIXES
* Plug memory leak when using a "defaults" entry in the run control file.
* Do not print SSL certificate mismatches unless verbose or --sslcertck is
enabled.
* Do not lose "set invisible" in fetchmailconf. (Michael Barnack)
# CHANGES
* Usability: SSL certificate chains are fully printed in -v -v mode, and there
are now helpful pointers to --sslcertpath and c_rehash for "unable to get
local issuer certificate" and self-signed certificates -- these usually hint
to missing root signing CAs in the certs directory.
* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
* Memory allocation failures will now cause abnormal program abort (SIGABRT),
no longer an exit with unspecified code.
* Print a warning if certificate verification failed and the user did not
specify --sslcertck.
# DOCUMENTATION
* Fix table of global option to read "set softbounce" where there used to be a
2nd copy of "set spambounce". Patch by Michael Banack, BerliOS Bug #17067.
* In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X
to 1.0.0 upgrade in particular) may require running c_rehash.
# TRANSLATION UPDATES
[zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German
[id] Indonesian (Andhika Padmawan)
[it] Italian (Vincenzo Campanella)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
[vi] Vietnamese (Clytie Siddall)
fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):
# BUG FIX
* Fix --interface option, broken in 6.3.15. Reported by Vladmimir Stavrinov.
Fixes Debian Bug #576717.
# CHANGE
* Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory
and non-standard algorithms in certificates.
Sjoerd Simons, to fix Debian Bug #576430.
OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default.
Reported as OpenSSL RT#2224.
fetchmail-6.3.15 (released 2010-03-28, 25572 LoC):
# FEATURE
* Fetchmail now supports a bad-header command line or rcfile option that takes
exactly one argument, accept or reject (default). This specifies how messages
with bad headers retrieved from the current server are to be treated.
# BUG FIXES
* In the rcfile, recognize "local" as abbreviation for "localdomains", as
documented. The short form has not ever worked since this feature was added in
January 1997. Reported by Frédéric Marchal.
* Do not close stdout when using mda and "bsmtp -" at the same time.
* Log operating system errors when BSMTP writes fail.
* Fix verbose mode progress formatting regression from 6.3.10; SMTP trace lines
were no longer on a line of their own. Reported by Melchior Franz.
* Check seteuid() return value and abort running MDA if switch fails.
* Set global flags in a consistent manner. Make --nosoftbounce and
--nobounce work from command line (these used to work in rcfiles).
Reported and fix confirmed working by N.J. Mann. (Sunil Shetye)
* Properly import h_errno declarations, even on systems where h_errno isn't a
macro. (Adds ./configure check, fixes Cygwin dllimport warnings.)
# CHANGES
* The repository has been converted and moved from the Subversion (SVN) format
kindly hosted by Graham Wilson over the past years to Git format hosted on
Gitorious.org. My deepest thanks to Graham Wilson for this service that
kept us going when BerliOS's Subversion service was faulty in its early days.
* This opportunity was used to convert BRANCH_6-2 and BRANCH_1-9-9 to
GnuPG-signed tags, as a sign that these are now closed.
* The outdated SVN trunk is now called "oldtrunk" in Git just to save the work
for future reference. All development in the past few years was on BRANCH_6-3.
* master was branched from BRANCH_6-3. BRANCH_6-3 is now obsolete (and in fact
was also converted to a tag to record where the conversion from SVN to Git
took place).
* "make check" now skips HTML validation if xmllint or XHTML DTD are missing.
# DOCUMENTATION
* Web site and documentation were adjusted to reflect the SVN->Git move.
* The fetchmail manual page is now much clearer on the user id switching
(seteuid) when using --mda while running as the super user.
# TRANSLATION UPDATES, by language name
* [zh_CN] Chinese (Simplified), by Ji Zheng-Yu
* [cs] Czech, by Petr Pisar
* [nl] Dutch, by Erwin Poeze
* [fr] French, by Frédéric Marchal
* [de] German
* [id] Indonesian, by Andhika Padmawan
* [it] Italian, by Vincenzo Campanella
* [ja] Japanese, by Takeshi Hamasaki
* [pl] Polish, by Jakub Bogusz
* [vi] Vietnamese, by Clytie Siddall
fetchmail 6.3.14 (released 2010-02-05, 25487 LoC):
# SECURITY FIXES
* CVE-2010-0562: SSL/TLS certificate information is now also reported properly
on computers that consider the "char" type signed. Fixes malloc() buffer
overrun. Workaround for older versions: do not use verbose mode.
See fetchmail-SA-2010-01.txt for details, including a minimal patch.
# BUG FIXES
* The IMAP client no longer skips messages from several IMAP servers including
Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a)
ignored some untagged responses when it should not (b) relied on EXISTS
messages in response to EXPUNGE, which aren't mandated by RFC-3501 (the IMAP
standard) and aren't sent by Dovecot either.
Fix by Sunil Shetye (the fix also consolidates IMAP response handling,
improving overall robustness of the IMAP client), bug report and testing by
Matt Doran, with further hints from Timo Sirainen.
* The SMTP client now recovers from errors (such as servers dropping the
connection after errors) when sending an RSET command.
Fix by Sunil Shetye. Report by James Moe.
* The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH UNSEEN NOT
DELETED" again on IMAP2, to fix a regression in fetchmail 6.2.5 reported by
Will Stringer in June 2004. (Sunil Shetye)
* The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 and IMAP4r1
servers (Sunil Shetye).
* Workaround: The IMAP client now falls back to "FETCH n:m FLAGS" if the server
does not support "SEARCH". (Sunil Shetye)
* The IMAP client now requests message numbers in batches of 1,000 to avoid
problems if there are more than 1860 unseen messages. (Sunil Shetye)
Note that this wasn't security relevant because fetchmail would only read up
to the maximum buffer size and leave the remainder of the string unread, going
out of synch afterwards.
* Stricter validation of IMAP responses containing byte or message counts.
# CHANGES
* Only include gssapi.h if we're not including gssapi/gssapi.h, to fix a FreeBSD
compiler warning about gssapi.h being obsolete.
# DOCUMENTATION
* The README.SSL document was revised for grammar, spelling, and clarity.
Courtesy of Robert Mullin.
# TRANSLATION UPDATES
* [it] Italian, by Vincenzo Campanella
fetchmail 6.3.13 (released 2009-10-30, 25333 LoC):
# REGRESSION FIXES
* The multiline SMTP error fix in release 6.3.12 caused fetchmail to lose
message codes 400..599 and treat all of these as temporary error. This would
cause messages to be left on the server even if softbounce was turned off.
Reported by Thomas Jarosch.
# TRANSLATION UPDATES
* [cs] Czech, by Petr Pisar
* [zh_CN] Chinese (simplified), by Ji ZhengYu
* [nl] Dutch, by Erwin Poeze
* [id] Indonesian, by Andhika Padmawan
* [ja] Japanese, by Takeshi Hamasaki
* [pl] Polish, by Jakub Bogusz
* [es] Spanish (Castilian), by Franciso Molinero
* [vi] Vietnamese, by Clytie Siddall
fetchmail 6.3.12 (released 2009-10-05):
# REGRESSION FIXES
* The CVE-2009-2666 fix in fetchmail release 6.3.11 caused a free() of
unallocated memory on SSL connections, which caused crashes or program aborts
on some systems (depending on how initialization and free() of unallocated
memory is handled in compiler and libc).
Workaround for older versions: run in verbose mode.
Patch courtesy of Thomas Heinz, fixes Gentoo Bug #280760.
This regression affected only the 6.3.11 release, but not the patch that was
part of the security announcement fetchmail-SA-2009-01.
# BUG FIXES
* Fix error reporting for GSSAPI on Heimdal (h5l) Kerberos.
* Look for MD5_Init in libcrypto rather than libssl, fixes Gentoo Kerberos
builds; fixes upstream parts of Gentoo Bugs #231400 and #185652, and fixes
BerliOS Bug #16134.
* Report multiline SMTP errors properly, reported by Earl Chew; fixes Debian Bug
#529899, reported by Akihiro Terasaki.
Note: This fix introduced a regression, fixed in 6.3.13.
* Replace control characters in SMTP replies by '?'.
* Fetchmailconf: Fix descriptions for smtpaddress and smtpname options;
smtpaddress is for RCPT TO, not MAIL FROM. Found by Gerard Seibert.
# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
* [ca] Catalan (Ernest Adrogué Calveras)
* [zh_CN] Chinese/Simplified (Ji ZhengYu)
* [cs] Czech (Petr Pisar)
* [ja] Japanese (Takeshi Hamasaki)
* [pl] Polish (Jakub Bogusz)
* [es] Spanish/Castilian (Francisco Molinero)
* [vi] Vietnamese (Clytie Siddall)
fetchmail 6.3.11 (released 2009-08-06):
# SECURITY BUGFIXES
* CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a
part of a X.509 certificate's CommonName and subjectAltName fields. These
fields use opaque strings with a separate length field, so that the NUL
character isn't a special character inside the certificate. Fetchmail, being
written in the C language, used to treat these strings as C strings
nonetheless, so that the domain comparison would end at the first embedded NUL
character, rather than at the real end of the string.
Fetchmail will now abort certificate verification as failed if NULs are
encountered inside either of these fields regardless of their position, and
drop the connection even if --sslcertck is not used, because NUL is not a
valid character in legitimate DNS names.
See fetchmail-SA-2009-01.txt for details, including a minimal patch.
# BUGFIXES
* Remove the spurious message "message delimiter found while scanning headers".
RFC-5322 syntax states that the delimiter is part of the body, and the body is
optional.
* Convert all non-printable characters in certificate Subject/Issuer
Common Name or Subject Alternative Name fields to ANSI-C hex escapes (\xnn,
where nn are hex digits).
Note that this change introduces a regression, fixed in 6.3.12.
See the 6.3.12 documentation above for details and a workaround.
# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
* [zh_CN] Chinese/Simplified (Ji ZhengYu)
* [es] Spanish/Castilian (Francisco Molinero)
fetchmail 6.3.10 (released 2009-07-02):