From the CHANGES:
------
v3.0.9
------
[cjh] Fix showstopper bug in Horde_Form select fields (Bug #3123).
------
v3.0.8
------
[cjh] When deleting an identity, don't show the deleted identity
in the default identity select dropdown on the next page load.
[cjh] Fix escaping of data in the preferences templates.
[cjh] Fix escaping of data in the data import templates.
[cjh] Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_html.
[cjh] Close several XSS problems in the share edit window.
[jan] Fix weather.com portal block.
From the ChangeLog:
- 0006421: [security] Private bugs show up in public RSS feed (vboctor)
- 0006458: [security] Port #6457: SQL Injection in manage user page (TKADV2005-11-002) (vboctor)
- 0006461: [security] Port #6460: HTTP Header CRLF Injection (TKADV2005-11-002) (vboctor)
- 0006485: [security] XSS Vulnerability in filters (TKADV2005-11-002) (thraxisp)
- 0006489: [security] Port Injection Vulnerabilities in Filters (TKADV2005-11-002) (thraxisp)
- 0006492: [security] Port #6453: Make note private has no effect when resolving bug (thraxisp)
- 0006432: [bugtracker] error processing does not work! (jlatour)
- 0006379: [filters] Filter returns private issues when it should not (thraxisp)
- 0006254: [localization] strings_korean_utf8.txt has UTF-8 byte-order marker (ryandesign)
- 0006268: [localization] strings_chinese_simplified_utf8.txt has UTF-8 byte-order marker (ryandesign)
- 0006304: [localization] [PATCH] Major overhaul of strings_dutch.txt (jlatour)
- 0006358: [localization] Updated Dutch localization (Wanderer)
- 0006474: [localization] Calls to htmlspecialchars should take into account the current charset (jlatour)
load_rc_config_var so that platforms with older versions of /etc/rc.subr
can run smbd.sh and winbindd.sh without updating /etc/rc.subr.
Bump PKGREVISION to 3.
They are refusing connections or timing out for at least two weeks.
XXX: Please, do _NOT_ add them again so easily, please!
There is nothing but recurring trouble with them for a long time.
Change homepage to http://fetchmail.berlios.de/ and update MASTER_SITES.
Changes introduced since 6.2.5:
fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.
The fetchmail 6.2.5.X branch will be discontinued early in 2006.
fetchmail-6.2.5.5 2005-12-19 Matthias Andree
* SECURITY FIX CVE-2005-4348: fix null pointer dereference in
multidrop mode when the message is empty. Reported by Daniel Drake
<http://article.gmane.org/gmane.mail.fetchmail.user/7573> and others
(Debian Bug #343836). Fix by Sunil Shetye.
* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
fails. Fix suggested by Goswin Brederlow.
* Add fetchmail-SA-2005-{01,02,03}.txt
fetchmail-6.2.5.4 2005-11-13 Matthias Andree
* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
yacc or bison.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
the source directory), but prevent packaging from separated build, it
yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.
fetchmail-6.2.5.3 2005-11-12 Matthias Andree
* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Build environment: Update included gettext. Fix
--with-included-gettext. Fix parallel build (make -j). Fix "always
rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).
fetchmail-6.2.5.2
(patch Fri Jul 22 01:52 GMT 2005,
tarball Sat Jul 23 21:34 GMT 2005)
* README: Added a note about release status - READ IT!
* Note: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX CVE-2005-2335: truncate UIDL replies, lest malicious or
compromised POP3 servers overflow fetchmail's stack. Debian bug
#212762. This is a remote root exploit.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
