# SECURITY FIXES
* SSL/TLS certificate information is now also reported properly on computers
that consider the "char" type signed. Fixes malloc() buffer overrun.
Workaround for older versions: do not use verbose mode. CVE-2010-0562
See fetchmail-SA-2010-01.txt for details, including a minimal patch.
# BUG FIXES
* The IMAP client no longer skips messages from several IMAP servers including
Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a)
ignored some untagged responses when it should not (b) relied on EXISTS
messages in response to EXPUNGE, which aren't mandated by RFC-3501 (the IMAP
standard) and aren't sent by Dovecot either.
Fix by Sunil Shetye (the fix also consolidates IMAP response handling,
improving overall robustness of the IMAP client), bug report and testing by
Matt Doran, with further hints from Timo Sirainen.
* The SMTP client now recovers from errors (such as servers dropping the
connection after errors) when sending an RSET command.
Fix by Sunil Shetye. Report by James Moe.
* The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH UNSEEN NOT
DELETED" again on IMAP2, to fix a regression in fetchmail 6.2.5 reported by
Will Stringer in June 2004. (Sunil Shetye)
* The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 and IMAP4r1
servers (Sunil Shetye).
* Workaround: The IMAP client now falls back to "FETCH n:m FLAGS" if the server
does not support "SEARCH". (Sunil Shetye)
* The IMAP client now requests message numbers in batches of 1,000 to avoid
problems if there are more than 1860 unseen messages. (Sunil Shetye)
Note that this wasn't security relevant because fetchmail would only read up
to the maximum buffer size and leave the remainder of the string unread, going
out of synch afterwards.
* Stricter validation of IMAP responses containing byte or message counts.
# CHANGES
* Only include gssapi.h if we're not including gssapi/gssapi.h, to fix a FreeBSD
compiler warning about gssapi.h being obsolete.
# DOCUMENTATION
* The README.SSL document was revised for grammar, spelling, and clarity.
Courtesy of Robert Mullin.
# TRANSLATION UPDATES
* [it] Italian, by Vincenzo Campanella
----------
Approved by: Corey Halpin (port maintainer)
Approved by: miwi@ (mentor)
- Remove Kerberos IV support, insecure and obsolete
- Mark BROKEN if KRB5_HOME is set and invalid
- Kill pre-configure, no longer needed
- Kill obsolete POP2 from make config menu, still available if given on make
command line
- Auto-detect KRB5_HOME if it's $LOCALBASE or /usr
- MARK_JOBS_SAFE=yes
- Cease messing with @cwd in pkg-plist
- Reduce asterisks on pkg-message.in, to avoid screen clutter on long $PREFIX
Rely on krb-config instead.
PR: 140100
Submitted by: Matthias Andree <matthias.andree@gmx.de>
Approved by: maintainer
- Add rcNG script. See $PREFIX/etc/rc.d/fetchmail for
instructions. Inspired by [2] and ports/www/apache22.
PR: ports/96987 [1], ports/96079
Submitted by: Rob MacGregor <freebsd.macgregor@blueyonder.co.uk> [1],
Martin Jackson <mhjacks@swbell.net>
- From the announcement:
fetchmail 6.3.0 has been released on 2005-11-30. More than two years
after the previous formal 6.2.5 release, this collects several dozen
bug fixes, documentation, portability and IPv6 improvements and marks
the beginning of a new "stable" 6.3.X branch that will not change,
except for bug fixes and documentation updates.
- files/patch-pop2.c contributed by Stanislav Brabec <sbrabec@suse.cz>
via Matthias Andree <matthias.andree@gmx.de> (upstream maintainer)
insecure file creation.
- While here, move berlios.de to the top of the MASTERSITEs, since
development takes place there.
- Bump PORTREVISION
Security: CVE-2005-3088
Security: http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt
in version 6.2.5.1
- Use distribution patch from fetchmail.berlios.de instead of keeping the
security fix in CVS (-> remove patch-r1, patch-s1 which contained to
update from 6.2.5 to 6.2.5.1).
- The above patch also contains a patch that we kept locally in
patch-driver.c: This one has been removed, too.
- Use DOCSDIR macro in pkg-plist
- Don't install yet another copy of GPL
- Pass maintainership to Oliver Eikemeier
PR: 58283, 58341
Submitted by: Oliver Eikemeier <eikemeier@fillmore-labs.com>,
Esa Karkkainen <ejk@iki.fi>
Approved by: Ville Eerola <ve@sci.fi> (previous maintainer),
krion (implicit)
are included in the package, and it contains many upstream bugfixes, installs
the NEWS documentation file. These are the upstream fixes:
* OTP fix patches from Stanislav Brabec <utx@penguin.cz>
* fix patch for writing antispam capability correctly in conf.c.
* Fix patches for Debian bugs #162571, #156592.
* Correction to manpage re -b and qmail.
* Patch to disable use of STLS if auth passwd is specified.
* Fix specfile generation to handle SSL correctly.
* New Danish, Turkish, and Catalan translation files.
* Improved ODMR debug messages.
* IMAP efficiency hack; don't fetch sizes unless needed.
* Detect and rewrite invalid return paths beginning with @.
* Fix for subtle freeing bug that suppressed information in some bounce msgs.
* Newline fix patches for internationalization files.
* Fix reversed test guarding authentication-failure warnings.
* Fix POP3 breakage starting at 5.9.14.
PR: 44330
Submitted by: Matthias Andree <matthias.andree@web.de>
described at http://security.e-matters.de/advisories/032002.html.
Approved by: nectar (using his security-officer hat)
will (using his portmgr hat)
As we are so close to last tagging, as suggested by
portmgr, maintainer approval is forgone.
PR: 38328
Submitted by: Dominic Marks <dominic_marks@btinternet.com>
Approved by: kris for the Security Officer Team,
will for the Port Manager Team, and
MAINTAINER timeout
Fix a problem with building Kerberos 4 (Kerberos 5 is still broken).
PR: 27941 (the Kerberos 4 build problem)
Submitted by: Shawn Halpenny <malachai@iname.com>
Approved by: maintainer
/usr/bin/true for autoconf and friends - the fetchmail build system
does the right thing now.
Approved by: maintainer
Apologies to: sobomax for my harsher-than-needed complaints for his
fast and to-the-point port fixes.
A non-reachable exit() call was removed from the end of main(),
and the version number information was updated in the .lsm file.
Noticed by: Steve Watt, Mike Harding, Ville Eerola, probably others, too
Also, correct the help message in the fetchmailconf wrapper script -
fetchmailconf depends on py-tkinter, not just Python.
Submitted by: Jack Twilley <jmt@inktomi.com> - the fetchmailconf inaccuracy
Approved by: maintainer
and an omission and gives ESR a chance to do some more serious development
in a new development version.
Approved by: Ville Eerola <ve@sci.fi> - maintainer
