version 3.005: Fri 22 Dec 09:43:45 CET 2017
Fixes:
- repair loose dependency on Mail::Transport [cpantesters]
version 3.004: Thu 21 Dec 09:08:52 CET 2017
Fixes:
- field unfold replaces leading whitespace into blank. [Mark Nienberg]
Improvements:
- improve docs on $msg->send().
The previous release was the last one supporting autotools,
so switch to autosetup build. Adapt options.
2017-12-15 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Fix some regressions in the previous release
2017-12-08 Richard Russon <rich@flatcap.org>
* Features
- Enhance ifdef feature to support my_ vars
- Add <edit-or-view-raw-message>
- Remove vim syntax file from the main repo
- Support reading FQDN from mailname files
* Bug Fixes
- Do not turn CRLF into LF when dealing with transfer-encoding=base64
- Cleanup "SSL is unavailable" error in mutt_conn_find
- Don't clear the macro buffer during startup
- Fixup smart modify-labels-then-hide for !tag case
- Add sleep after SMTP error
- Restore folder settings after folder-hook
- Fix segfault when pipe'ing a deleted message
* Docs
- Display_filter escape sequence
- Correct spelling mistakes
- Add a sentence to quasi-delete docs
- Modify gpg.rc to accommodate GPG 2.1 changes
* Build
- Fix build for RHEL6
- Define NCURSES_WIDECHAR to require wide-char support from ncurses
- Autosetup: fix check for missing sendmail
- Respect --with-ssl path
- Check that OpenSSL md5 supports -r before using it
- Autosetup: expand --everything in `neomutt -v`
- Make sure objects are not compiled before git_ver.h is generated
- Build: fix update-po target
- Fix out-of-tree builds
- Fix stdout + stderr redirection in hcachever.sh
- Build: moved the check for idn before the check for notmuch
- Define prefix in Makefile.autosetup
- Install stuff to $(PACKAGE) in $(libexecdir), not $(libdir)
- Update autosetup to latest master
* Code
- Rename files
- Rename functions
- Rename variables
- Rename constants
- Remove unused parameters
- Document functions
- Rearrange functions
- Move functions to libraries
- Add new library functions
- Rearrange switch statements
- Boolification
- Drop #ifdef DEBUG
- Fix Coverity defects
- Insert braces
- Split ifs
- Fallthrough
- Fix shadow variable
- Replace mutt_debug with a macro
- Return early where possible
* Upstream
- Note which ssl config vars are GnuTLS or OpenSSL only
- Add message count to $move quadoption prompt
- Add %R (number of read messages) for $status_format
- Add $change_folder_next option to control mailbox suggestion order
- Fix $smart_wrap to not be disabled by whitespace-prefixed lines
- Remove useless else branch in the $smart_wrap code
- Fix ansi escape sequences with both reset and color parameters
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
Tested by jcea, thanks!
2.1.25 (26-Oct-2017)
New Features
- The admindb held subscriptions listing now includes the date of the
most recent request from the address. (LP: #1697097)
Accessibility
- The admin Membership List now includes text for screen readers which
identifies the function of each checkbox. CSS is added to the page to
visually hide the text but still allow screen readers to read it.
Similar text has been added to some radio buttons on the admindb pages.
i18n
- The Russian translation has been updated by Sergey Matveev.
(LP:#1708016)
Bug fixes and other patches
- Thanks to Jim Popovitch, certain failures in DNS lookups of DMARC policy
will now result in mitigations being applied. (LP: #1722013)
- The default DMARC reject reason now properly replaces %(listowner)s.
(LP: #1718962)
- The web roster page now shows case preserved email addresses.
(LP: #1707447)
- Changed the SETGID wrappers to only pass those items in the environment
that are needed by the called scripts. (LP: #1705736)
- Fixed MTA/Postfix.py to ensure that created aliases(.db) and
virtual-mailman(.db) files are readable by Postfix and the .db files are
owned by the Mailman user. (LP: #1696066)
- Defended against certain web attacks that cause exceptions and "we hit
a bug" responses when POST data or query fragments contain multiple
values for the same parameter. (LP: #1695667)
- The fix for LP: #1614841 caused a regression in the options CGI. This
has been fixed. (LP: #1602608)
- Added a -a option to the (e)grep commands in contrib/mmdsr to account
for logs that may have non-ascii and be seen as binary.
- Fixed the -V option to bin/list_lists to not show lists whose host is a
subdomain of the given domain. (LP: #1695610)
2.1.24 (02-Jun-2017)
Security
- A most likely unexploitable XSS attach that relies on the Mailman web
server passing a crafted Host: header to the CGI environment has been
fixed. Apache for one is not vulnerable. Thanks to Alqnas Eslam.
New Features
- There is a new RCPT_BASE64_HEADER_NAME setting. If this is set to a
non-empty string, that string is the name of a header that will be added
to personalized and VERPed deliveries with value equal to the base64
encoding of the recipient's email address. This is intended to enable
identification of the recipient otherwise redacted from "spam report"
feedback loop messages.
- cron/senddigests has a new -e/--exceptlist option to send pending
digests for all but a named list. (LP: #1619770)
- The values for DEFAULT_DIGEST_FOOTER and DEFAULT_MSG_FOOTER have been
changed to use a standard signature separator for DEFAULT_MSG_FOOTER
and to remove the unneded line of underscores from DEFAULT_DIGEST_FOOTER.
(LP: #266269)
i18n
- The Polish html templates have been recoded to use html entities
instead of non-ascii characters.
- The Basque (Euskara) translation has been updated by Gari Araolaza.
- The German "details for personalize" page has been updated by
Christian F Buser.
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
Bug fixes and other patches
- The list-owner@virtual.domain addresses are now added to virtual-mailman
as they are exposed in 'list created' emails. (LP: 1694384)
- The 'list run by' addresses in web page footers are now just the
list-owner address. (LP: #1694384)
- Changed member_verbosity_threshold from a >= test to a strictly > test
to avoid the issue of moderating every post when the threshold = 1.
(LP: #1693366)
- Subject prefixing has been improved to always have a space between
the prefix and the subject even with non-ascii in the prefix. This
will sometimes result in two spaces when the prefix is non-ascii but
the subject is ascii, but this is the lesser evil. (LP: #1525954)
- Treat message and digest headers and footers as empty if they contain
only whitespace. (LP: #1673307)
- Ensured that added message and digest headers and footers always have
a terminating new-line. (LP: #1670033)
- Fixed an uncaught TypeError in the subscribe CGI. (LP: #1667215)
- Added recognition for a newly seen mailEnable bounce.
- Fixed an uncaught NotAMemberError when a member is removed before a
probe bounce for the member is returned. (LP: #1664729)
- Fixed a TypeError thrown in the roster CGI when called with a listname
containing a % character. (LP: #1661810)
- Fixed a NameError issue in bin/add_members with
DISABLE_COMMAND_LOCALE_CSET = yes. (LP: #1647450)
- The CleanseDKIM handler has been removed from OWNER_PIPELINE. It isn't
needed there and has adverse DMARC implications for messages to -owner
of an anonymous list. (LP: #1645901)
- Fixed an issue with properly RFC 2047 encoding the display name in the
From: header for messages with DMARC mitigations. (LP: #1643210)
- Fixed an issue causing UnicodeError in sending digests following a
change of a list's preferred_language. (LP: #1644356)
- Enhanced the fix for race conditions in MailList().Load(). (LP: #266464)
- Fixed a typo in Utils.py that could have resulted in a NameError in
logging an unlikely occurrence. (LP: #1637745)
- Fixed a bug which created incorrect "view more members" links at the
bottom of the admin Membership List pages. (LP: #1637061)
- The 2.1.23 fix for LP: #1604544 only fixed the letter links at the top
of the Membership List. The links at the bottom have now been fixed.
- paths.py now adds dist-packages as well as site-packages to sys.path.
(LP: #1621172)
- INIT INFO has been added to the sample init.d script. (LP: #1620121)
2.1.23 (27-Aug-2016)
Security
- CSRF protection has been extended to the user options page. This was
actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
intended for Mailman 2.1.15, but that fix wasn't completely merged at the
time. The full fix also addresses the admindb, and edithtml pages as
well as the user options page and the previously fixed admin pages.
Thanks to Nishant Agarwala for reporting the issue. CVE-2016-6893
(LP: #1614841)
New Features
- For header_filter_rules matching, RFC 2047 encoded headers, non-encoded
headers and header_filter_rules patterns are now all decoded to unicode.
Both XML character references of the form &#nnnn; and unicode escapes
of the form \Uxxxx in patterns are converted to unicodes as well. Both
headers and patterns are normalized to 'NFKC' normal form before
matching, but the normalization form can be set via a new NORMALIZE_FORM
mm_cfg setting. Also, the web UI has been updated to encode characters
in text fields that are invalid in the character set of the page's
language as XML character references instead of '?'. This should help
with entering header_filter_rules patterns to match 'odd' characters.
This feature is experimental and is problematic for some cases where it
is desired to have a header_filter_rules pattern with characters not in
the character set of the list's preferred language. For patterns
without such characters, the only change in behavior should be because
of unicode normalization which should improve matching. For other
situations such as trying to match a Subject: with CJK characters (range
U+4E00..U+9FFF) on an English language (ascii) list, one can enter a
pattern like '^subject:.*[一-鿿]' or
'^subject:.*[\u4e00;-\u9fff;]' to match a Subject with any character in
the range, and it will work, but depending on the actual characters and
the browser, submitting another, even unrelated change can garble the
original entry although this usually occurs only with ascii pages and
characters in the range \u0080-\u00ff. The \Uxxxx unicode escapes must
have exactly 4 hex digits, but they are case insensitive. (LP: #558155)
- Thanks to Jim Popovitch REMOVE_DKIM_HEADERS can now be set to 3 to
preserve the original headers as X-Mailman-Original-... before removing
them.
- Several additional templates have been added to those that can be edited
via the web admin GUI. (LP: #1583387)
- SMTPDirect.py can now do SASL authentication and STARTTLS security when
connecting to the outgoiung MTA. Associated with this are new
Defaults.py/mm_cfg.py settings SMTP_AUTH, SMTP_USER, SMTP_PASSWD and
SMTP_USE_TLS. (LP: #558281)
- There is a new Defaults.py/mm_cfg.py setting SMTPLIB_DEBUG_LEVEL which
can be set to 1 to enable verbose smtplib debugging to Mailman's error
log to help with debugging 'low level smtp failures'. (LP: #1573074)
- A list's nonmember_rejection_notice attribute will now be the default
rejection reason for a held non-member post in addition to it's prior
role as the reson for an automatically rejected non-member post.
(LP: #1572330)
i18n
- The French translation of 'Dutch' is changed from 'Hollandais' to
'Néerlandais' per Francis Jorissen.
- Some German language templates that were incorrectly utf-8 encoded have
been recoded as iso-8859-1. (LP: #1602779)
- Japanese translation and documentation in messages/ja has been updated by
Yasuhito FUTATSUKI.
Bug fixes and other patches
- The admin Membership List letter links could be incorrectly rendered as
Unicode strings following a search. (LP: #1604544)
- We no longer throw an uncaught TypeError with certain defective crafted
POST requests to Mailman's CGIs. (LP: #1602608)
- Scrubber links in archives are now in the list's preferred_language
rather than the poster's language. (LP: #1586505)
- Improved logging of banned subscription and address change attempts.
(LP: #1582856)
- In rare circumstances a list can be removed while the admin or listinfo
CGI or bin/list_lists is running causing an uncaught MMUnknownListError
to be thrown. The exception is now caught and handled. (LP: #1582532)
- Set the Date: header in the wrapper message when from_is_list or
dmarc_moderation_action is Wrap Message. (LP: #1581215)
- A site can now set DMARC_ORGANIZATIONAL_DOMAIN_DATA_URL to None or the
null string if it wants to avoid using this. (LP: #1578450)
- The white space to the left of the admindb Logout link is no longer
part of the link. (LP: #1573623)
2.1.22 (17-Apr-2016)
i18n
- Fixed a typo in the German options.html template. (LP: #1562408)
- An error in the Brazilian Portugese translation of Quarterly has been
fixed thanks to Kleber A. Benatti.
- The Brazilian Portugese translation has been updated by Emerson Ribeiro
de Mello.
Bug fixes and other patches
- All addresses in data/virtual-mailman are now properly appended with
VIRTUAL_MAILMAN_LOCAL_DOMAIN and duplicates are not generated if the
site list is in a virtual domain. (LP: #1570630)
- DMARC mitigations will now find the From: domain to the right of the
rightmost '@' rather than the leftmost '@'. (LP: #1568445)
- DMARC mitigations for a sub-domain of an organizational domain will now
use the organizational domain's sp= policy if any. (LP: #1568398)
- Modified NewsRunner.py to ensure that messages gated to Usenet have a
non-blank Subject: header and when munging the Message-ID to add the
original to References: to help with threading. (LP: #557955)
- Fixed the pipermail archiver to do a better job of figuring the date of
a post when its Date: header is missing, unparseable or has an obviously
out of range date. This should only affect bin/arch as ArchRunner has
code to fix dates at least if ARCHIVER_CLOBBER_DATE_POLICY has not been
set to 0 in mm_cfg.py. If posts have been added in the past to a list's
archive using bin/arch and an imported mbox, running bin/arch again could
result is some of those posts being archived with a different date.
(LP: #1555798)
- Fixed an issue with CommandRunner shunting a malformed message with a
null byte in the body. (LP: #1553888)
- Don't collapse multipart with a single sub-part inside multipart/signed
parts. (LP: #1551075)
2.1.21 (28-Feb-2016)
New Features
- There is a new dmarc_none_moderation_action list setting and a
DEFAULT_DMARC_NONE_MODERATION_ACTION mm_cfg.py setting to optionally
apply Munge From or Wrap Message actions to posts From: domains that
publish DMARC p=none. The intent is to eliminate failure reports to
the domain owner for messages that would be munged or wrapped if the
domain published a stronger DMARC policy. See the descriptions in
Defaults.py, the web UI and the bug report for more. (LP: #1539384)
- Thanks to Jim Popovitch there is now a feature to automatically turn
on moderation for a malicious list member who attempts to flood a list
with spam. See the details for the Privacy options ... -> Sender
filters -> member_verbosity_threshold and member_verbosity_interval
settings in the web admin UI and the documentation in Defaults.py for
the DEFAULT_MEMBER_VERBOSITY_* and VERBOSE_CLEAN_LIMIT settings for
information.
- bin/list_members now has options to display all moderated or all
non-moderated members.
- There is now a mm_cfg.py setting GLOBAL_BAN_LIST which is like the
individual list's ban_list but applies globally to all subscribe
requests. See the description in Defaults.py for more details.
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- Also thanks to Miloslav Trmac and Yasuhito FUTATSUKI, the l10n for
Mailman's bin/ commands has been fixed to display using the character
set of the user's work station even when Mailman's character set for
the language is different. Because this has not been tested over a
wide set of locales, there is an mm_cfg.py switch
DISABLE_COMMAND_LOCALE_CSET to disable it if it causes problems.
(LP: #558167)
- The Polish translation has been updated by Stefan Plewako.
- The German translation has been updated by Mirian Margiani and
Bernhard Schmidt.
- The Russian translation has been updated by Danil Smirnov.
- Several Galician templates that were improperly encoded as iso-8859-1
have been fixed. (LP: #1532504)
- The Brazilian Portugese translation has been updated by Emerson Ribeiro
de Mello.
Bug fixes and other patches
- If DMARC lookup fails to find a policy, also try the Organizational
Domain. Associated with this is a new mm_cfg.py setting
DMARC_ORGANIZATIONAL_DOMAIN_DATA_URL which sets the URL used to
retrieve the data for the algorithm that computes the Organizational
Domain. See https://publicsuffix.org/list/ for info. (LP: #1549420)
- Modified contrib/mmdsr to correctly report No such list names that
contain ".
- User's "Acknowledge" option will now be honored for posts to anonymous
lists. (LP: #1546679)
- Fixed a typo in the Non-digest options regular_exclude_ignore
description thanks to Yasuhito FUTATSUKI.
- DEFAULT_PASS_MIME_TYPES has been changed to accept text/plain sub-parts
from message/rfc822 parts and multipart parts other than mixed and
alternative and also accept pgp signatures. This only applies to newly
created lists and other than pgp signatures, still only accepts
text/plain. (LP: #1517446)
- Modified contrib/mmdsr to report held and banned subscriptions and DMARC
lookups in their own categories.
- Fixed a bug that could create a garbled From: header with certain DMARC
mitigation actions. (LP: #1536816)
- Treat a poster's address which matches an equivalent_domains address as
a list member for the regular_exclude_ignore check. (LP: #1526550)
- Fixed an issue that sometimes left no white space following
subject_prefix. (LP: #1525954)
- Vette log entries for banned subscriptions now include the source of
the request if available. (LP: #1525733)
- Submitting the user options form for a user who was asynchronously
unsubscribed would throw an uncaught NotAMemberError. (LP: #1523273)
- It was possible under some circumstances for a message to be shunted
after a handler rejected or discarded it, and the handler would be
skipped upon unshunting and the message accepted. (LP: #1519062)
- Posts gated to usenet will no longer have other than the target group
in the Newsgroups: header. (LP: #1512866)
- Invalid regexps in *_these_nonmembers, subscribe_auto_approval and
ban_list are now logged. (LP: #1507241)
- Refactored the GetPattern list method to simplify extending @listname
syntax to new attributes in the future. Changed Moderate.py to use the
GetPattern method to process the *_these_nonmembers lists.
- Changed CookHeaders to default to using space rather than tab as
continuation_ws when folding headers. (LP: #1505878)
- Fixed the 'pidfile' path in the sample init.d script. (LP: #1503422)
- Subject prefixing could fail to collapse multiple 'Re:' in an incomming
message if they all came after the list's subject_prefix. This is now
fixed. (LP: #1496620)
- Defended against a user submitting URLs with query fragments or POST
data containing multiple occurrences of the same variable.
(LP: #1496632)
- Fixed bin/mailmanctl to check its effective rather than real uid.
(LP: #1491187)
- Fixed cron/gate_news to catch EOFError on opening the newsgroup.
(LP: #1486263)
- Fixed a bug where a delayed probe bounce can throw an AttributeError.
(LP: #1482940)
- If a list is not digestable an the user is not currently set to
receive digests, the digest options will not be shown on the user's
options page. (LP: #1476298)
- Improved identification of remote clients for logging and subscribe
form checking in cases where access is via a proxy server. Thanks to
Jim Popovitch. Also updated contrib/mmdsr for log change.
- Fixed an issue with shunted messages on a list where the charset for
the list's preferred_language had been changed from iso-8859-1 to
utf-8 without recoding the list's description. (LP: #1462755)
- Mailman-Postfix integration will now add mailman@domain entries in
data/virtual-mailman for each domain in POSTFIX_STYLE_VIRTUAL_DOMAINS
which is a host_name of a list. This is so the addresses which are
exposed on admin and listinfo overview pages of virtual domains will
be deliverable. (LP: #1459236)
- The vette log entry for DMARC policy hits now contains the list name.
(LP: #1450826)
- If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
balancer or similar in use the POSTing IP might not exactly match the
GETting IP. This is now accounted for by not requiring the last
octet (16 bits for ipV6) to match. (LP: #1447445)
- DKIM-Signature:, DomainKey-Signature: and Authentication-Results:
headers are now removed by default from posts to anonymous lists.
(LP: #1444673)
- The list admin web UI Mambership List search function often doesn't
return correct results for search strings (regexps) that contain
non-ascii characters. This is partially fixed. (LP: #1442298)
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Notmuch 0.25.2 (2017-11-05)
===========================
Command Line Interface
----------------------
Fix segfault in notmuch-show crypto handling when compiled against
GMime 2.6; this was a regression in 0.25.
General
-------
Support for GMime before 3.0 is now deprecated, and will be removed in
a future release.
GMime is a C library which may be used for the creation and parsing
of messages using the Multipurpose Internet Mail Extension (MIME),
as defined by numerous IETF specifications.
GMime features an extremely robust high-performance parser designed
to be able to preserve byte-for-byte information allowing developers
to re-seralize the parsed messages back to a stream exactly as the
parser found them. It also features integrated GnuPG and S/MIME
v3.2 support.
Built on top of GObject (the object system used by the GNOME
desktop), many developers should find its API design and memory
management very familiar.
This package contains v3 of the gmime API.
(Previosly if selected or not *always* `--with-tls' was accidently passed to the
CONFIGURE_ARGS for the `tls' PKG_OPTION)
Pointed out by Joyent SmartOS bulk builds.
pkgsrc changes:
- Update MASTER_SITES (use https:// and avoid redirects)
- Delete (a bit outdated) comment about locking mechanisms
Since 02 Feb 2014 (post-1.6) the default locking mechanisms are
(directly from m4/locking.m4):
- aix*|cygwin*|linux*: fcntl
- freebsd*|*netbsd*|openbsd*|darwin*: flock
- everything else: dot
The original comment was probably about just NetBSD and maybe Solaris
(it's dated 1999). Solaris still uses the `dot' mechanisms by default
but we no longer have any local patches about locking.
- Delete (no more needed) `-O1' hack to CFLAGS
mh_strcasecmp() was completely replaced by strcasecmp() on 24 Mar 2013, and
hence present in 1.6. Forcing `-O1' for gcc is no longer needed.
- Adjust --sysconfdir CONFIGURE_ARGS per-upstream change, now the nmh
directory is created by nmh's configure so pass PKG_SYSCONFBASE instead of
PKG_SYSCONFDIR.
- Add support for the `test' phase
Add support for nmh tests. Modify patches/patch-ca accordingly in order to
adjust TEST_ENVIRONMENT to use the configuration files in $egdir instead of the
ones in $nmhetcdir.
Actually all tests are passed except an mhparam test that sposts the
$egdir/$nmetcdir kludge.
- Do not include bsd.prefs.mk two times (NFC)
- Add `oauth' PKG_OPTIONS (disabled by default) to enable OAuth2 support in
SMTP and POP auth via curl
Changes:
Release notes for nmh 1.7
=========================
Welcome to nmh, the new version of the classic MH mail handling system.
It's been over three years since the last release of nmh, and there have
been a number of significant changes since the last release. Long-time
MH and nmh uses should read careful the NOTEABLE CHANGES section, as there
are some significant changes to nmh behavior. Otherwise, please see the
README and INSTALL files for help on getting started with nmh.
For news of future releases, subscribe to the low-volume
https://lists.nongnu.org/mailman/listinfo/nmh-announce
---------------
NOTABLE CHANGES
---------------
The largest notable changes in the 1.7 release are:
- Complete unification of network security support. All network protocols
(currently, POP and SMTP) have been refactored to use a common set of
security routines. This means all protocols support all SASL mechanisms
(via the Cyrus-SASL library) and TLS. TLS support has been strengthened
to perform certificate name validation and to require TLS 1.1 as a
minimum protocol. Also, all protocols can make use of the OAuth2/XOAUTH
SASL mechanism, which is supported by Gmail.
- send(1) now supports adding switches to post(8) based on the address or
domain of the email address in the From: header; this more easily allows
users to support multiple identities.
- A generic facility for passing arguments to filter programs in repl(1)
by use of the -convertargs switch.
- Native support for the manipulation of iCalendar requests; see mhical(1)
for more details.
------------
NEW FEATURES
------------
The following are new features for the 1.7 release of nmh:
- When building from source, configure will derive ${prefix} from an existing
nmh installation if it finds one in your $PATH.
- Added welcome message when nmh detects that its version changed.
- The default locations for configuration files and support binaries
have been changed. Configuration files now install into ${sysconfdir}/nmh,
and support binaries are placed in ${libexecdir}/nmh. If you are upgrading
an existing installation you should look for old configuration files in
${sysconfdir} and merge any local customizations into the new files in
${sysconfdir}/nmh, then remove the old files. ${libdir} will also contain
obsolete support programs that should be removed.
- All TLS connections now perform certificate validation (including hostname
matching) by default; can be disabled on a per-application basis.
- post now defaults to port 587 on 'smtp' message submission.
- A value of 0 for the width switch of scan(1), inc(1), ap(1), dp(1),
fmttest(1), and mhl(1) now means as many characters as the format
engine can produce [Bug #15274]. That amount is limited by internal
buffers.
- If a component has trailing whitespace, e.g., body:component="> ",
mhl now trims that whitespace off when filtering blank text lines.
- An "rtrim" flag has been added to mhl to remove any trailing
whitespace from filtered text lines. A corresponding "nortrim" flag
has also been added.
- Added getmymbox and getmyaddr mh-format(5) function escapes.
- New -[no]changecur, -fixtype, -decodetypes, and -[no]crlflinebreaks switches
have been added to mhfixmsg(1).
- mhfixmsg now removes an extraneous trailing semicolon from header
parameter lists.
- Added -convertargs switch to repl(1), to pass arguments to programs
specified in the user's profile or mhn.defaults to convert message
content.
- Added mhical(1), to display, reply to, and cancel iCalendar (RFC 5545)
event requests.
- Added multiply mh-format(5) function.
- "mhparam bindir" prints the path to the directory containing the public
executables (${bindir}).
- New "-prefer" switch for mhshow (and mhlist and mhshow), to allow specifying
the preferred content types to show, if present in a multipart alternative.
- mh-format now has %(kilo) and %(kibi) functions, to allow printing
numbers with SI or IEC quantities, e.g. "10K", "2.3Mi".
- Support for the -sendmail flag to send/post to change the sendmail
binary when using the sendmail/pipe MTS.
- Added support to send(1) to specify switches to post(1) based on address or
domain name in From: header line in message draft.
- post(8) -snoop now attempts to decode base64-encoded SMTP traffic.
- folder(1) -nocreate now prints a warning message for a non-existent folder.
- mhfixmsg(1) now allows -decodetext binary, though 8bit is still the default.
- inc(1) and msgchk(1) now support TLS encryption natively.
- All network protocols support the XOAUTH authentication mechanism.
- Support for SMTPUTF8 (RFC 6531) has been added. mhshow(1) already supported
RFC 6532, assuming all 8-bit message header field bodies are UTF-8 and use
of a UTF-8 locale.
- mhfixmsg now replaces RFC 2047 encoding with RFC 2231 encoding of name and
filename parameters in Content-Type and Content-Disposition headers,
respectively.
- If a message body contains 8-bit bytes, post(8) uses SMTP 8BITMIME if the
server supports it. If not, post fails with a message to the user to
encode the message for 7-bit transport.
- Fewer lseek(2)s will be used when reading headers in the common case.
- ./configure's --enable-debug has been removed; it did nothing.
- configure now defaults to enabling each of TLS and Cyrus SASL if the
necessary headers and libraries are found.
- Moved build_nmh to top-level directory.
- Better error reporting for connections to network services.
---------
BUG FIXES
---------
- The format scanner no longer subtracts 1 from the width. This has the
effect of no longer counting the trailing newline in the output of
scan(1), inc(1), and the other programs that rely on the format scanner.
- The first character of some very short (less than 4 characters) message
bodies is no longer dropped.
- Single-character headers can be reliably formatted, etc., instead of
apparently being missing.
- mhfixmsg now adds a Content-Transfer-Encoding header at the message level,
if needed after decoding text parts.
- mhbuild now checks whether all text parts need a Content-Transfer-Encoding
header, not just those with a character set not specified.
- mhbuild no longer parses lines that start with # as directives with
-nodirectives.
- repl now makes sure that any Fcc header in a replied-to message is not
copied into the outgoing draft by default, and that the -fcc switch
actually works in the absence of a Fcc header in the replied-to message.
- A Content-ID is generated for message/external-body entities as required
by RFC 2045, even if -nocontentid is supplied to mhbuild.
- post will now expand aliases on a "From" line when doing a BCC [Bug #51098].
- scan can now handle empty files without violating an assert [Bug #51693].
- An error when writing an error message, e.g. EPIPE, no longer causes
recursion until the stack is exhausted.
-------------------
DEPRECATED FEATURES
-------------------
- Support for the MHPDEBUG environment variable is deprecated and will be
removed from a future nmh release. Instead, use the -debug switch to pick.
- With the move of support binaries from ${libdir} to ${libexecdir}/nmh, the
mostly undocumented 'libdir' mhparam(1) component has been replaced by a
new 'libexecdir' component. 'libdir' will be removed in a future release.
-----------------
OBSOLETE FEATURES
-----------------
- The undocumented -queue switch to post was deprecated in nmh 1.6, and was
removed in this release.
- conflict(8) was deprecated in nmh 1.6, and was removed in this release.
- mhtest(8) was deprecated in nmh 1.6, and was removed in this release.
- msh(1) was deprecated in nmh 1.6, and was removed in this release.
- Support in alias files for the the "*" address-group (everyone) was
deprecated in nmh 1.6, and was removed in this release.
- Support for multiple hostnames in the "servers" entry of mts.conf has
been removed.
- Support in alias files for expanding aliases based on group membership
(=) and primary group (+) has been removed.
As always, feedback is welcome.
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
neomutt is now called 'neomutt' instead of 'mutt'. Remove conflict
with mutt.
2017-10-27 Richard Russon <rich@flatcap.org>
* Bug Fixes
- variable type when using fread
- prevent timezone overflow
- tags: Show fake header for all backends
- notmuch: virtual-mailboxes should accept a limit
- Issue 888: Fix imap mailbox flag logging
- fix actions on tagged messages
- call the folder-hook before saving to $record
- Fix smart wrap in pager without breaking header
- Add polling for the IDLE command
* Docs
- imap/notmuch tags: Add some documentation
- English and other cleanups
- compressed and nntp features are now always built
* Website
- Update Arch instructions
* Build
- Fix update-po
- Fix neomutt.pot location, remove from git
- Allow to specify --docdir at configure time
- Generate neomuttrc even if configured with --disable-doc
- Let autosetup define PWD, do not unnecessarily try to create hcache dir
- Use bundled wcscasecmp if an implementation is not found in libc
- Use host compiler to build the documentation
- Update autosetup to latest master branch
- autosetup: delete makedoc on 'make clean'
- Fixes for endianness detection
- Update autosetup to latest master branch
- Do not use CPPFLAGS / CFLAGS together with CC_FOR_BUILD
- --enable-everything includes lua
- autosetup: check for sys_siglist[]
* Code
- move functions to library
- lib: move MIN/MAX macros
- simplify null checks
- kill preproc expansion laziness
- reduce scope of variables
- merge: minor code cleanups
- split up 'if' statements that assign and test
- Refactor: Remove unused return type
- Bool: change functions in mx.h
- bool: convert function parameters in nntp.h
- add extra checks to mutt_pattern_exec()
- Use safe_calloc to initialize memory, simplify size_t overflow check
- Move mutt_rename_file to lib/file.[hc]
- doxygen: fix a few warnings
- minor code fixes
- use mutt_array_size()
- refactor out O_NOFOLLOW
- initialise variables
- lib: move List and Queue into library
- url: make notmuch query string parser generic
- Wrap dirname(3) inside a mutt_dirname() function
2017-10-13 Richard Russon <rich@flatcap.org>
* Bug Fixes
- crash using uncolor
- Sort the folders list when browsing an IMAP server
- Prefer a helpful error message over a BEEP
* Build
- Do not fail if deflate is not in libz
- Support EXTRA_CFLAGS and EXTRA_LDFLAGS, kill unused variable
2017-10-06 Richard Russon <rich@flatcap.org>
* Features
- Add IMAP keywords support
* Bug Fixes
- set mbox_type
- %{fmt} date format
- Fix off-by-one buffer overflow in add_index_color
- crash in mbox_to_udomain
- crash in mutt_substrdup
- crash looking up mime body type
- digest_collapse was broken
- crash using notmuch expando with imap
- imap: Fix mx.mbox leak in imap_get_parent_path
- overflow in mutt_mktime()
- add more range-checking on dates/times
- Remove spurious error message
- Unsubscribe after deleting an imap folder
- Do not pop from MuttrcStack what wasn't pushed
* Docs
- replace mutt refs with neomutt
- drop old vim syntax file
* Code
- convert functions to use 'bool'
- convert structs to use STAILQ
* Build
- Autosetup-based configuration
- drop upstream mutt references
- rename everything 'mutt' to 'neomutt'
- move helper programs to lib dir
- rename regexp to regex
- expand buffers to avoid gcc7 warnings
* Upstream
- Remove \Seen flag setting for imap trash
- Change imap copy/save and trash to sync flags, excluding deleted
- Improve imap fetch handler to accept an initial UID
- Display an error message when delete mailbox fails
- Updated French translation
- Fix imap sync segfault due to inactive headers during an expunge
- Close the imap socket for the selected mailbox on error
- Add missing IMAP_CMD_POLL flag in imap buffy check
- Change maildir and mh check_mailbox to use dynamic sized hash
- Fix uses of context->changed as a counter
- Make cmd_parse_fetch() more precise about setting reopen/check flags
- Enable $reply_self for group-reply, even with $metoo unset
Security fix for CVE-2017-16651.
RELEASE 1.2.7
-------------
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems
(#5957)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
- Added support for TLS anonymous authentication.
Thanks Uffe Jakobsen.
- Fixed sendmail wrapper handling of empty sender on command line.
Thanks Sebastian Wiedenroth.
- Fixed handling of quoted strings in the "remotes" file.
Thanks Mihai Moldovan.
- Fixed nullmailer-inject handling of leading "From " lines.
- Some build fixes.
- Fixed bogus temporary gethostbyname error message when the protocol
source address was incorrect.
- Fixed potential race condition in tests.
Thanks Felix Lechner.
- Fixed handling of time values on 32-bit big-endian systems.
Thanks Felix Lechner.
- Added support to nullmailer-send to move permanently failing messages
out of the queue, and to generate bounce messages.
- Added support for IPv6.
- Added program to generate bounce/delay messages.
- Added an "allmailfrom" control file to nullmailer-queue, causing all
messages to share a hard-coded envelope sender.
- Added logging the message sender/recipient in nullmailer-send.
- Improved handling of system errors when reading config files.
- Secured handling of password options for protocol modules.
- Support standard shell quoting for options in the "remotes" file.
- Added protocol option to set a separate TLS client private key file.
- Added protocol option to bind the source address on connections.
- Fixed nullmailer-inject to report errors to stderr.
- Fixed gnutls cast to pointer from integer of different size warning.
- Fixed nullmailer-inject and -queue to handle the null (empty) sender
address. Needed for RFC 3798 (Message Disposition Notification).
- Moved spool directory to /var/spool/nullmailer like other MTAs.
2.2.33.2:
- doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
- auth: Fix memory leak in %{ldap_dn}
- dict-sql: Fix data types to work correctly with Cassandra
Changes in 2.4.19:
* Complete backport of the new (2.5 and later) IMAP IDLE implementation
(thanks Thomas Jarosh). This fixes a bunch of bugs and race conditions
that were inherent to the older implementation
* New option "imapidletimeout" overrides "timeout" specifically for
connections in IDLE state
* OpenSSL 1.1.0 is now supported
* Fixed: imap ENABLED doesn't print * ENABLED when nothing new enabled
* Fixed: mailbox lock management over rename (thanks Thomas Jarosh)
* Fixed: added overflow protection to urlfetch range checks
* Fixed: lmtpd can now deliver when mupdate server isn't available
(thanks Michael Menge)
* Fixed task 227: service processes no longer divide by zero when
invoked with -T 0 argument (thanks Ian Batten and Jens Erat)
* Fixed task 229: ctl_cyrusdb now uses database paths from imapd.conf
(thanks Simon Matter)
* Fixed bug #3862: mailbox database changes now rolled back on mupdate
failure during rename (thanks Michael Menge)
* Fixed: XFER to 2.5 and later no longer downgrades index to oldest version
* Fixed: nonsensical "TEXT.MIME" section now handled as "HEADER"
* Fixed: added missing 'auditlog: ' prefix to backend connections
(thanks Wolfgang Breyha)
* Fixed: IMAP SEARCH crash on some platforms
* Fixed: memory leaks in IMAP SEARCH and IMAP APPEND
* Fixed Issue #1967: EXISTS count reported earlier if fetching past size
of previous message set
Changes in 2.4.20:
* Fixed: lmtpd crash
* Fixed: auth_pts will now error if its configured socket path is too
long for its buffer
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.3.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.2. Older releases are unaffected.
Fixed in Postfix 3.2 and later:
* Extension propagation was broken with "recipient_delimiter = .".
This change reverts a change that was trying to be too clever.
* The postqueue command would abort with a panic message after it
experienced an output write error while listing the mail queue.
This change restores a write error check that was lost with the
Postfix 3.2 rewrite of the vbuf_print formatter.
* Restored sanity checks for dynamically-specified width and precision
in format strings (%*, %.*, and %*.*). These checks were lost with
the Postfix 3.2 rewrite of the vbuf_print formatter.
v0.4.21:
* redirect action: Always set the X-Sieve-Redirected-From header to
sieve_user_email if configured. Before, it would use the envelope recipient
instead if available, which makes no sense if the primary e-mail address is
available.
+ vacation extension: Allow ignoring the envelope sender while composing the
"To:" header for the reply. Normally, the "To:" header is composed from
the address found in the "Sender", "Resent-From" or "From" headers that is
equal to the envelope sender. If none is then found, the bare envelope
sender is used. This change adds a new setting
"sieve_vacation_to_header_ignore_envelope". With this setting enabled, the
"To:" header is always composed from those headers in the source message.
The new setting thus allows ignoring the envelope, which is useful e.g.
when SRS is used.
+ vacation extension: Compose the "To:" header from the full sender address
found in the first "Sender:", "From:" or "Resent-From:" header. Before, it
would create a "To:" header without a phrase part. The new behavior is
nicer, since the reply will be addressed to the sender by name if possible.
- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A
missing LDAP-based script could cause the script sequence to exit earlier.
- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name
conversion. This caused problems with mailbox names containing UTF-8
characters. The Dovecot API was changed years ago, but apparently
sieve-filter was never updated.
v2.2.33.1:
- dovecot-lda was logging to stderr instead of to the log file.
v2.2.33:
* doveadm director commands wait for the changes to be visible in the
whole ring before they return. This is especially useful in testing.
* Environments listed in import_environment setting are now set or
preserved when executing standalone commands (e.g. doveadm)
+ doveadm proxy: Support proxying logs. Previously the logs were
visible only in the backend's logs.
+ Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+ Added a new notify_status plugin, which can be used to update dict
with current status of a mailbox when it changes. See
https://wiki2.dovecot.org/Plugins/NotifyStatus
+ Mailbox list index can be disabled for a namespace by appending
":LISTINDEX=" to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
mails that are visible in POP3 but not IMAP. This could happen if
new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache
if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
+ auth: Added %{ldap_dn} variable for passdb/userdb ldap
- acl: The "create" (k) permission in global acl-file was sometimes
ignored, allowing users to create mailboxes when they shouldn't have.
- sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
- lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn't an IP
- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
- quota_clone: Update also when quota is unlimited (broken in v2.2.31)
- mbox, zlib: Fix assert-crash when accessing compressed mbox
- doveadm director kick -f parameter didn't work
- doveadm director flush <host> resulted flushing all hosts, if <host>
wasn't an IP address.
- director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced. These could have
resulted in crashes, non-optimal behavior or ignoring some of the
changes.
- director: Use less CPU in imap-login processes when moving/kicking
many users.
- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
- doveadm sync -1 fails when local mailboxes exist that do not exist
remotely. This commonly happened when lazy_expunge mailbox was
autocreated when incremental sync expunged mails.
- pop3: rawlog_dir setting didn't work
1.0.1:
+ Extended experimental support for ARC results
1.0.0:
+ Added initial experimental support for ARC results
+ Swith to sematic versioning scheme and only set version in setup.py and
__init__
1.1:
Drop support for Python 3.4.
As per RFC 5321, §4.1.4, multiple HELO / EHLO commands in the same session are semantically equivalent to RSET.
As per RFC 5321, $4.1.1.9, NOOP takes an optional argument, which is ignored. API BREAK If you have a handler that implements handle_NOOP(), it previously took zero arguments but now requires a single argument.
The command line options --version / -v has been added to print the package’s current version number.
General improvements in the Controller class.
When aiosmtpd handles a STARTTLS it must arrange for the original transport to be closed when the wrapped transport is closed. This fixes a hidden exception which occurs when an EOF is received on the original tranport after the connection is lost.
Widen the catch of ConnectionResetError and CancelledError to also catch such errors from handler methods.
Added a manpage for the aiosmtpd command line script.
Added much better support for the HELP. There’s a new decorator called @syntax() which you can use in derived classes to decorate smtp_*() methods. These then show up in HELP responses. This also fixes HELP responses for the LMTP subclass.
The Controller class now takes an optional keyword argument ssl_context which is passed directly to the asyncio create_server() call.
Features:
- Limits rate of automatic responses (defaults to a maximum of one
message every hour).
- Will not respond to nearly every type of mailing list or bulk email.
- Will not respond to bounce messages or MAILER-DAEMON.
- Bounces looping messages.
- Can insert the original subject into the response.
- Can copy original message into response.
- Can use links in the rate-limiting data directory to limit inode usage
to a single inode.
- Can limit responses to a certain date/time range.
Changes since version 1.9.0:
This is a bug fix release, coming shortly after the last release due to
a possible segfault fix with IMAP. There are also fixes for the trash
folder, imap_poll_timeout, and GMail flags notifications.
version 0.97: Thu 2 Feb 15:52:27 CET 2017
Improvements:
- spell checks from Debian.
rt.cpan.org#118328 [Angel Abad]
- share podtail with MailBox
version 0.96: Mon Sep 19 23:15:07 CEST 2016
Fixes:
- include examples in the manual-pages
version 0.95:
Improvements:
- move t/99pod.t to xt/ and remove dependency on Test::Pod
- spell checks from Debian.
rt.cpan.org#92483 [Salvatore Bonaccorso]
0.13 Mon Jan 4 11:44:52 CET 2016
-fix: Escape braces in regexp / Debian bug#809102 / CPAN bug #110664
Unescaped braces in regexp are deprecated and issue a warning when used in Perl 5.22.
-fix: typo CPAN bug #110668 Debian
--- 1.999.1 (2006-02-26 18:00)
Mail::SPF::Query:
* Do not use \p{} named properties in the "a" and "mx" mechanisms' argument
validation code, since Perl 5.6 requires (flaky) "use utf8" for them to
work, and [a-z]/[a-z0-9] should work just as well (closes rt.cpan.org bug
#17815).
* Some minor documentation formatting improvements.
Debian:
+ Added watch file.
0.80 2017-08-20 NEILB
- NEILB got co-maint to do a release that includes META.yml and META.json.
- Switched to Dist::Zilla.
- Added COPYRIGHT section to pod.
- Fixed the NAME section in pod to follow expected format.
- Added "use warnings" and fixed all the warnings.
- Manually set $VERSION, as it's used in the code
0.79_16 2006-07-08 MIVKOVIC
- experimental SMTP AUTH support (LOGIN PLAIN CRAM-MD5 DIGEST-MD5)
- Fix bug where one refused RCPT TO: would abort everything
- send EHLO, and parse response (for later AUTH implementation)
- better handling of multi-line responses, and better error-messages
- Also normalize line endings in headers
- Now keeps the Sender header if it was used. Previous versions
only used it for the MAIL FROM: command and deleted it.
- No space between "MAIL FROM:" or "RCPT TO:" and address.
version 3.003: Thu 29 Jun 15:18:15 CEST 2017
Fixes:
- change license back to "perl" after accidental change
rt.cpan.org#120319 [Jitka Plesnikova]
version 3.002: Fri 31 Mar 14:22:17 CEST 2017
Fixes:
- repair test on Windows again :(
- error while global destruction of locker
- show installed version of POP3, not POP4 (of course)
rt.cpan.org#120651 [Kent Fredric]
version 3.001: Mon 6 Feb 17:07:53 CET 2017
Fixes:
- test on windows, cause the path syntax differences
- posix lock on BSD [Slaven Rezic]
- SEE ALSO links broken.
rt.cpan.org#120119 [Christophe Deroulers]
- do not test multi-lock on BSDs
Improvements:
- Mail::Box::Locker* cleaner OO
- ::Locker::Multi uses FcntlLock, not POSIX by default
version 3.000: Thu 2 Feb 15:50:36 CET 2017
Changes:
- split Mail::Box 2* into separate distributions:
Mail::Box basic and simple mail folders
Mail::Message only message handling
Mail::Transport sending messages
Mail::Box::IMAP4 net-imap folders
Mail::Box::POP3 pop3(s) folders
Mail::Box::Dbx Outlook express folders (unpublished)
- simplify structure of tests
- do not ask questions during installation
- shared footer
1.946 2017-08-31 09:29:41-04:00 America/New_York
- propagate encode_check to subparts (thanks, Michael McClimon)
- use the new parse_content_disposition function in
Email::MIME::ContentType (thanks, Pali Rohár)
- fix a bug in AddressList handling (thanks, Pali Rohár)
This module implements RFC 2822 parser and formatter of email
addresses and groups. It parses an input string from email headers
which contain a list of email addresses or a groups of email addresses
(like From, To, Cc, Bcc, Reply-To, Sender, ...). Also it can generate
a string value for those headers from a list of email addresses
objects.
Parser and formatter functionality is implemented in XS and uses
shared code from Dovecot IMAP server.
2017-09-12 Richard Russon <rich@flatcap.org>
* Bug Fixes
- broken check on resend message
- crash in vfolder-from-query
* Build
- Be more formal about quoting in m4 macros
- fix warnings raised by gcc7
- notmuch: add support for the v5 API
RELEASE 1.2.6
-------------
- Don't ignore (global) userlogins/sendmail logging in per_user_logging mode
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Fix bug where comment notation within style tag would cause the whole style
to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix addressbook searching by gender (#5757)
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where it wasn't possible to set timezone to auto-detected value
(#5782)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure
rcube_utils::random_bytes() result has always requested length (#5788)
- Fix potential XSS vulnerability with malformed HTML message markup
2017-09-07 Richard Russon <rich@flatcap.org>
* Contrib
- Add guix build support
* Bug Fixes
- Only match real mailboxes when looking for new mail
- Fix the printing of ncurses version in -v output
- Bind editor \<delete\> to delete-char
- Fix overflowing colours
- Fix empty In-Reply-To generation
- Trim trailing slash from completed dirs
- Add guix-neomutt.scm
- Fix setting custom query_type in notmuch query
* Website
- New technical documentation LINK
- Improve Gentoo distro page
* Build
- Better curses identification
- Use the system's wchar_t support
- Use the system's md5 tool (or equivalent)
- Clean up configure.ac
- Teach gen-map-doc about the new opcode header
* Source
- Rename functions (snake_case)
- Rename constants/defines (UPPER_CASE)
- Create library of shared functions
- Much tidying
- Rename globals to match user config
- Drop unnecessary functions/macros
- Use a standard list implementation
- Coverity fixes
- Use explicit NUL for string terminators
- Drop OPS\* in favour of opcodes.h
* Upstream
- Fix menu color calls to occur before positioning the cursor
- When guessing an attachment type, don't allow text/plain if there is a null character
- Add $imap_poll_timeout to allow mailbox polling to time out
- Handle error if REGCOMP in pager fails when resizing
- Change recvattach to allow nested encryption
- Fix attachment check_traditional and extract_keys operations
- Add edit-content-type helper and warning for decrypted attachments
- Add option to run command to query attachment mime type
- Add warning about using inline pgp with format=flowed
+ $ssl_verify_partial_chains permits verifying partial certificate chains.
This allows the storage of only intermediate/host certificates in the
$certificate_file. (OpenSSL 1.0.2b and newer only)
! SNI support added for OpenSSL and GnuTLS.
+ Choice and confirmation prompts can now wrap across multiple lines.
+ Window resizes are handled while in the line editor.
+ "color compose" can color the compose menu header fields and the
security status. See "Using Color and Mono Video Attributes" in the
manual for more details.
+ Setting $header_color_partial allows partial coloring of headers in the
pager. This can be used to color just the header labels, or strings
inside the headers. hdrdefault controls the color of the unmatched part.
+ When $history_remove_dups is set, duplicates in the history ring will
be scanned and removed each time a new entry is added.
! IMAP header downloading was improved to support out-of-order and
missing MSN entries.
! $message_cache_clean should be faster for large mailboxes.
+ Self-encryption can be enabled using the $pgp_self_encrypt,
$pgp_self_encrypt_as, $smime_self_encrypt, and $smime_self_encrypt_as
options.
! $postpone_encrypt now will use the $pgp_self_encrypt_as or
$smime_self_encrypt_as option values first. $postpone_encrypt_as will
be checked second, but should be considered deprecated.
+ $forward_attribution_intro and $forward_attribution_trailer can be used
to customize the message preceding and following a forwarded message.
+ The ~<() and ~>() pattern operators match messages whose immediate parent,
or immediate children respectively, match the subpattern inside ().
They are more specific versions of the ~() pattern operator.
+ $imap_poll_timeout allow IMAP mailbox polling to time out. This defaults
to 15 seconds.
+ The attachment menu now supports nested encryption. This allows
attachments in nested encrypted messages to be saved or operated on.
+ $mime_type_query_command specifies a command to run to determine
a new attachment's mime type. When $mime_type_query_first is set,
this command will be run before looking at the mime.types file.
Changelog v0.4.20:
+ Made the retention period for redirect duplicate identifiers
configurable. For accounts that perform many redirects, the lda-dupes
database could grow to impractical sizes. Changed the default
retention period from 24 to 12 hours.
- sieve-filter: Fixed memory leak: forgot to clean up script binary at
end of execution. Normally, this would merely be an inconsequential
memory leak. However, when the script comes from an LDAP storage, this
would cause io leak warnings.
- managesieve-login: Fixed handling of AUTHENTICATE command. A second
authenticate command would be parsed wrong. This problem was caused by
changes in the previous release.
- LDA Sieve plugin: Fixed minor memory leak caused by not cleaning up
the sieve_discard script.
msmtp provides MacOS X Keychain support by using the configuration
option `--with-macosx-keyring`. With this setting enabled passwords
for msmtp can be stored in the MacOS X keychain.
From Thomas Merkel in NetBSD/pkgsrc#14
There are various changes in this release that can be used to significantly reduce disk IO with:
1) NFS storage especially, but I guess also other remote filesystems and even some with local disks
2) When mail storage and INDEX storage are separated
* imapc: Info-level line is logged every time when successfully
connected to the remote server. This includes local/remote IP/port,
which can be useful for matching against external logs.
* config: Log a warning if plugin { key=no } is used explicitly.
v2.3 will support "no" properly in plugin settings, but for now
any value at all for a boolean plugin setting is treated as "yes",
even if it's written as explicit "no". This change will now warn
that it most likely won't work as intended.
+ Various optimizations to avoid accessing files/directories when it's
not necessary. Especially avoid accessing mail root directories when
INDEX directories point to a different filesystem.
+ mail_location can now include ITERINDEX parameter. This tells Dovecot
to perform mailbox listing from the INDEX path instead of from the
mail root path. It's mainly useful when the INDEX storage is on a
faster storage.
+ mail_location can now include VOLATILEDIR=<path> parameter. This
is used for creating lock files and in future potentially other
files that don't need to exist permanently. The path could point to
tmpfs for example. This is especially useful to avoid creating lock
files to NFS or other remote filesystems. For example:
mail_location=sdbox:~/sdbox:VOLATILEDIR=/tmp/volatile/%2.256Nu/%u
+ mail_location's LISTINDEX=<path> can now contain a full path.
This allows storing mailbox list index to a different storage
than the rest of the indexes, for example to tmpfs.
+ mail_location can now include NO-NOSELECT parameter. This
automatically deletes any \NoSelect mailboxes that have no children.
These mailboxes are sometimes confusing to users.
+ mail_location can now include BROKENCHAR=<char> parameter. This can
be useful with imapc to access mailbox names that aren't valid mUTF-7
charset from remote servers.
+ If mailbox_list_index_very_dirty_syncs=yes, the list index is no
longer refreshed against filesystem when listing mailboxes. This
allows the mailbox listing to be done entirely by only reading the
mailbox list index.
+ Added mailbox_list_index_include_inbox setting to control whether
INBOX's STATUS information should be cached in the mailbox list
index. The default is "no", but it may be useful to change it to
"yes", especially if LISTINDEX points to tmpfs.
+ userdb can return chdir=<path>, which override mail_home for the
chdir location. This can be useful to avoid accessing home directory
on login.
+ userdb can return postlogin=<socket> to specify per-user imap/pop3
postlogin socket path.
+ cassandra: Add support for result paging by adding page_size=<n>
parameter to the connect setting.
+ dsync/imapc, pop3-migration plugin: Strip also trailing tabs from
headers when matching mails. This helps with migrations from Zimbra.
+ imap_logout_format supports now %{appended} and %{autoexpunged}
+ virtual plugin: Optimize IDLE to use mailbox list index for finding
out when something has changed.
+ Added apparmor plugin. See https://wiki2.dovecot.org/Plugins/Apparmor
- virtual plugin: A lot of fixes. In many cases it was also working
very inefficiently or even incorrectly.
- imap: NOTIFY parameter parsing was incorrectly "fixed" in v2.2.31.
It was actually (mostly) working in previous versions, but broken
in v2.2.31.
- Modseq tracking didn't always work correctly. This could have caused
imap unhibernation to fail or IMAP QRESYNC/CONDSTORE extensions to
not work perfectly.
- mdbox: "Inconsistency in map index" wasn't fixed automatically
- dict-ldap: %variable values used in the LDAP filter weren't escaped.
- quota=count: quota_warning = -storage=.. was never executed (try 2).
v2.2.31 fixed it for -messages, but not for -storage.
- imapc: >= 32 kB mail bodies were supposed to be cached for subsequent
FETCHes, but weren't.
- quota-status service didn't support recipient_delimiter
- acl: Don't access dovecot-acl-list files with acl_globals_only=yes
- mail_location: If INDEX dir is set, mailbox deletion deletes its
childrens' indexes. For example if "box" is deleted, "box/child"
index directory was deleted as well (but mails were preserved).
- director: v2.2.31 caused rapid reconnection loops to directors
that were down.
Changelog:
Fixed
Unwanted inline images shown in rogue SPAM messages
Fixed
Deleting message from the POP3 server not working when maildir storage was used
Fixed
Message disposition flag (replied / forwarded) lost when reply or forwarded message was stored as draft and draft was sent later
Fixed
Inline images not scaled to fit when printing
Fixed
Selected text from another message sometimes included in a reply
Fixed
No authorisation prompt displayed when inserting image into email body although image URL requires authentication
Fixed
Large attachments taking a long time to open under some circumstances
Fixed
Various security fixes
This project uses a Perl-style Configure script that can use a
custom config.sh to provide default answers to questions that it
asks as part of the configuration process. Modify the custom
${FILESDIR}/config.sh to allow substituting for @PKGMANDIR@ in the
default location for unformatted manpages.
Upstream changes:
1.021 2017-08-02 19:35:56-04:00 America/New_York
- reject non-ASCII and control characters in strict mode (thanks, Pali
Roh獺r)
1.020 2017-07-25 12:39:31-04:00 America/New_York
- unbreak Email::MIME (which violates encapsulation (again))
- eliminate some @_ / $_ confusion
1.019 2017-07-06 16:06:19-04:00 America/New_York (TRIAL RELEASE)
- better parsing all around, thanks to Pali Roh獺r:
- support for RFC 2231 (character set and parameter continuations)
- support for RFC 2822 comments
- we only Carp if header-parsing fails now
- we're more lenient in dealing with spaces around tokens
ytnef, programs that use libytnef to parse and handle Microsoft TNEF
attachments.
These are the programs that come with the same distfile as libytnef
and are from the same author.
The changes in patch-ytnef.c has been applied upstream.
patch-ytnef.c has now been removed.
Changes from Changelog:
v1.9.2 - February 23, 2017
Thanks to @hannob for finding some Out-of-bound exceptions in memory handline.
* [SECURITY] An invalid memory access (heap overrun) in handling LONG datatypes (CVE-2017-6800)
* [SECURITY] Missing a check for fields of size 0 (CVE-2017-6801)
* [SECURITY] Potential buffer overrun on incoming Compressed RTF Streams (CVE-2017-6802)
This version & the previous 1.9.1 resolves the following CVEs:
* CVE-2017-6306
* CVE-2017-6305
* CVE-2017-6304
* CVE-2017-6303
* CVE-2017-6302
* CVE-2017-6301
* CVE-2017-6300
* CVE-2017-6299
* CVE-2017-6298
v1.9.1 - Feb 14, 2017
* BugFix for path handling- label both / and \ as invalid characters inattachments
* Remove lots of exit(-1)'s from the code that would crash calling programs
* [SECURITY] Thanks to EricSesterhennX41 for a patch to fix lots of invalid
memory allocation around corrupted files.
v1.9 - January 2, 2017
* Unify libytnef and ytnef tools into a single build & package (Thanks @jmallach)
* Fix applied for CVE-2010-5109
* Various fixes for errors found via Static Analysis (cppcheck)
* Various memory leaks plugged (Thanks @slonik-v-domene)
* Bugfix for a broken "uniqueness" checker
* Lots of formatting & documentation cleanups
Now that the two packages are unified into a single install & build, I've had
to choose a unifier of Version Numbers. I chose 1.9 .
Enigmail 1.9.8
Released 2017-06-30, works with Thunderbird 52.0 & newer and SeaMonkey 2.46 & newer.
Notable Changes
This is a bugfix release. In addition, some locales were updated.
Bugs fixed
This version fixes a bug which blocks the mail sending process.
Notmuch 0.25 (2017-07-25)
=========================
General
-------
Add regexp searching for mid, paths, and tags.
Skip HTML tags when indexing
In particular this avoids indexing large inline images.
Command Line Interface
----------------------
Bash completion is now installed to /usr/share by default.
Allow space as separator for keyword arguments.
Emacs
-----
Support for stashing message timestamp in show and tree views
Invoking `notmuch-show-stash-date` with a prefix argument
stashes the unix timestamp of the current message instead of
the date string.
Don't use 'function' as variable name, workaround emacs bug 26406.
Library Changes
---------------
Add workaround for date parsing of bad input in older GMime
In certain circumstances, older GMime libraries could return
negative numbers when parsing syntactically invalid dates.
Replace deprecated functions with status returning versions
API of notmuch_query_{search,count}_{messages,threads} has
changed. notmuch_query_add_tag_exclude now returns a status
value.
Add support for building against GMime 3.0.
Rename libutil.a to libnotmuch_util.a.
libnotmuch SONAME is incremented to libnotmuch.so.5.
The installed cyradm shell script contained the path to the shell
in the tools directory instead of the system /bin/sh. This
happened as part of the build process by the Perl MakeMaker system
used to build the Cyrus Perl modules. Make the replacement at
post-build time to change it back to /bin/sh.
This fix was mirrored from the identical fix to the cyrus-imapd24
module by jnemeth@pkgsrc.org.
Bump the PKGREVISION of the cyrus-imapd and cyrus-imapd23 packages
due to the change in the installed script.
- Apply the qbiff-utmpx patch to (probably) fix build on FreeBSD
- Enable "qmail-srs" by default
- Add "qmail-customerror", enabled by default
- Move TLS config steps from INSTALL to MESSAGE.tls
Set PKG_SYSCONFSUBDIR where appropriate, and use {MAKE,OWN}_DIRS to
create the directory tree under ${PKG_SYSCONFDIR} instead of using
INSTALLATION_DIRS.
Bump the PKGREVISION of packages that changed due to changes in the
package install scripts.
For all services where we set procname, prefix "nb". This makes it even
harder for observers to fail to notice that this isn't a Life with qmail
install, and happens to match the log tags already being applied.
Bump version.
from /service), the rc.d script can't tell which is ours. Make and use
a pidfile.
(The other rc.d scripts set argv[0] to names that are unlikely to
collide, but there's no easy way to do that for the qmail-send process
exec'd by qmail-start.)
Bump PKGREVISION.
install-destdir and instcheck about the .gz extensions. While here,
handle INSTALL and SENDMAIL docs on case-insensitive filesystems in a
more straightforward way. Bump PKGREVISION.
being terminated with bare LFs, getting tempfailed by some SMTP servers
(such as qmail!), and getting stuck in the local queue. Tweak the EAI
patch to terminate header lines with CRLF, as unpatched qmail-remote
would have done. Submitted upstream. Bump PKGREVISION.
during the build stage, so can't use a simple REPLACE_SH.
This is a build problem that likely is only detected when
PKG_DEVELOPER=YES so bump PKGREVISION anyways.
- Collapse redundant code for invoking service-specific rc.d scripts.
- Don't try to run a service's rc.d script if it isn't enabled in rc.conf.
- Run "pause" in reverse sequence, like "stop" does.
- Support "stat", "pause", and "cont" in qmailqread.
Bump version.
Upstream changes:
1.945 2017-07-25 14:17:32-04:00 America/New_York
- fix encode-check.t to pass under legacy Test::Builder
1.944 2017-07-25 12:38:41-04:00 America/New_York
- non-trial release of header_as_obj changes
- support for supplying a non-croak encode_check (thanks, Matthew
Horsfall)
1.943 2017-06-09 19:00:09-04:00 America/New_York (TRIAL RELEASE)
- add Email::MIME::Header::AddressList and related support code
1.942 2017-03-05 08:15:00-05:00 America/New_York (TRIAL RELEASE)
- This adds ->header_as_obj to get MIME headers out of the header not
as strings, but as objects. The field-to-header mapping can be
amended with the ->set_class_for_header method.
1.941 2017-03-04 19:12:11-05:00 America/New_York (TRIAL RELEASE)
- pointless mistake release
- Remove qmail-qfilter-*-queue shell scripts, which would conflict with
the C programs of the same name included in mail/qmail 1.03nb29 with
the "qmail-rejectutils" option (enabled by default).
- Bump mail/qmail dependency to 1.03nb29.
- Shorten and improve MESSAGE.
Remove unneeded options:
- Unconditionally apply netqmail (which includes a local patch; remove it)
- Unconditionally apply bigdns, maildiruniq, outgoingip, rcptcheck, remote
- Unconditionally apply the TLS + SMTP AUTH _patch_ (not the options)
- Record all applied patches (mandatory and optional) in QMAILPATCHES
- Remove badrcptto, qregex, realrcptto, viruscan (moved to rejectutils)
Simplify packaging:
- Extract a standalone patch <https://schmonz.com/qmail/rejectutils> to
repackage the mutually conflicting recipient- and content-checking
patches as separate programs, along with wrappers for running checks
in sequence
- Extract a standalone patch <https://schmonz.com/qmail/destdir> to
build to a staging area, as non-root, without hardcoded IDs
- Run the destdir patch's `install-destdir` to make or repair the queue
and set special file permissions, obviating the need for a dependency
on mail/queue-fix and handcrafted SPECIAL_PERMS
- While here, run `instcheck` to ensure we've installed just like `make
setup check` as root would have
- Install INSTALL and SENDMAIL docs under their original names,
even on Darwin
- Avoid building catpages, since we don't install them, and remove nroff
from USE_TOOLS
Default-enable more useful options:
- "eai" (new) permits UTF-8 almost everywhere in email
- "qmail-rejectutils" (new) adds several tools for selectively
rejecting messages
- "syncdir" forces synchronous link() and related syscalls
- "tls" and "sasl", instead of causing patch conflicts, cause the TLS
and SMTP AUTH code to be included (!)
2017-07-14 Richard Russon <rich@flatcap.org>
* Translations
- Update German translation
* Docs
- compile-time output: use two lists
- doxygen: add config file
- doxygen: tidy existing comments
* Build
- fix hcachever.sh script
* Upstream
- Fix crash when $postponed is on another server.
2017-07-07 Richard Russon <rich@flatcap.org>
* Features
- Support Gmail's X-GM-RAW server-side search
- Include pattern for broken threads
- Allow sourcing of multiple files
* Contrib
- vombatidae colorscheme
- zenburn colorscheme
- black 256 solarized colorscheme
- neonwolf colorscheme
- Mutt logos
* Bug Fixes
- flags: update the hdr message last
- gpgme S/MIME non-detached signature handling
- menu: the thread tree color
- Uses CurrentFolder to populate LastDir with IMAP
- stabilise sidebar sort order
- colour emails with a '+' in them
- the padding expando '%>'
- Do not set old flag if mark_old is false
- maildir creation
- Decode CRLF line endings to LF when copying headers
- score address pattern do not match personal name
- open attachments in read-only mode
- Add Cc, In-Reply-To, and References to default mailto_allow
- Improve search for mime.types
* Translations
- Update Chinese (Simplified) translation
* Coverity defects
- dodgy buffers
- leaks in lua get/set options
- some resource leaks
* Docs
- update credits
- limitations of new-mail %f expando
- escape <>'s in nested conditions
- add code of conduct
- fix ifdef examples
- update mailmap
- Update modify-labels-then-hide
- fix mailmap
- drop UPDATING files
* Website
- Changes pages (diff)
- Update Arch distro page
- Update NixOS distro page
- Add new Exherbo distro page
- Update translation hi-score table
- Update code of conduct
- Update Newbies page
- Add page about Rebuilding the Documentation
- Add page of hard problems
* Build
- remove unnecessary steps
- drop instdoc script
- move smime_keys into contrib
- fixes for Solaris
- don't delete non-existent files
- remove another reference to devel-notes.txt
- Handle native Solaris GSSAPI.
- drop configure options --enable-exact-address
- drop configure option --with-exec-shell
- drop configure option --enable-nfs-fix
- drop configure option --disable-warnings
- Completely remove dotlock
- More sophisticated check for BDB version + support for DB6 (non default)
* Tidy
- drop VirtIncoming
- split mutt_parse_mailboxes into mutt_parse_unmailboxes
- tidy some buffy code
- tidy the version strings
* Upstream
- Add ~<() and ~>() immediate parent/children patterns
- Add L10N comments to the GNUTLS certificate prompt
- Add more description for the %S and %Z $index_format characters
- Add config vars for forwarded message attribution intro/trailer
- Block SIGWINCH during connect()
- Improve the L10N comment about Sign as
- Auto-pad translation for the GPGME key selection "verify key" headers
- Enable all header fields in the compose menu to be translated
- Force hard redraw after $sendmail instead of calling mutt_endwin
- Make GPGME key selection behavior the same as classic-PGP
- Rename 'sign as' to 'Sign as'; makes compose menu more consistent
- Change the compose menu fields to be dynamically padded
Moll in NetBSD/pkgsrc#4. From the DESCR:
mailsend is a simple command line program to send mail via SMTP protocol.
The program does not use any config file and everything needed to compose
mails (and attachments) is driven via command line parameters.
- bugfix: if password_command parameter was used with a non-existent program,
getmail would error out during the handling of that condition and not report
the problem correctly.
- new release numbering scheme; previous version numbers were just getting
too high.
- catch and ignore/exit cleanly after reset connection in IMAP IDLE mode.
Thanks: Stephan Schulz.
- allow specifying an expected SSL certificate hostname, for when the
server's certificate does not match the domain name used to connect to
it. Thanks: "Andre".
- fix error message not actually giving the header field name incorrectly
specified as containing the envelope recipient address. Thanks: Hardy
Braunsdorf.
- add new password_command configuration parameter for retrievers, allowing
getmail to retrieve the account password from any arbitrary external
command. Suggestion: "ng0".
Upstream changes:
2017-04-14: Marc Bradshaw <marc@marcbradshaw.net>
* commit aac893fdbaa7f8ccd5d37fa7f20d1785406cda51
Author: Marc Bradshaw <marc@marcbradshaw.net>
Date: Fri Mar 17 14:53:53 2017 +1100
Avoid use of $_ in read loop
RT 106485: Mail::DKIM::PrivateKey->load tampering $_ and <FILE>
* commit 06934f259e392b2a3cf94560e6051d9e522d0bf3
Author: Marc Bradshaw <marc@marcbradshaw.net>
Date: Fri Mar 17 14:44:44 2017 +1100
Ensure PrivateKey file is closed properly.
Store PrivateKey file handle in lexical variable and close it
once we are done.
RT 120638: Mail::DKIM::PrivateKey does not close FILE
* commit 9e7c1c4cb78a6cb1cf396ece4379c7ed2c44c974
Author: Marc Bradshaw <marc@marcbradshaw.net>
Date: Fri Feb 27 12:08:11 2015 +1100
Allow greater control over signed headers
* commit 8291c034dc7db4394e9df80e70b8cbe8428a38c2
Author: Marc Bradshaw <marc@marcbradshaw.net>
Date: Fri Jan 23 09:54:02 2015 +1100
Allow greater control over which headers are signed by Signer
NEWS:
Changes of Sylpheed
* 3.6.0 (stable)
* The Japanese manual was updated.
* 3.6.0beta1 (development)
* The feature to use multiple signatures in one account was added.
* The edit group dialog of the address book was improved to allow
multilple selection and display its available list with folder tree.
* The menu 'Tools - Open configuration/attachments folder' was added.
* Printing settings and page setup are now saved.
* The Japanese manual was updated.
* IMAP: SUBSCRIBE command is explicitly issued for a newly created folder
by CREATE.
* Unix: the search location of SSL certificates for OpenBSD was added
(#222).
* Win32: a notice about not removing user data in the installer was
modified.
Changelog:
52.2.1
Fixed Problems with Gmail (folders not showing, repeated email download, etc.) introduced in version 52.2.0.
52.2.0
Fixed Embedded images not shown in email received from Hotmail/Outlook webmailer
Fixed Detection of non-ASCII font names in font selector
Fixed Attachment not forwarded correctly under certain circumstances
Fixed Multiple requests for master password when GMail OAuth2 is enabled
Fixed Large number of blank pages being printed under certain circumstances when invalid preferences were present
Fixed Messages sent via the Simple MAPI interface are forced to HTML
Fixed Calendar: Invitations can't be printed
Fixed Mailing list (group) not accessible from macOS or Outlook address book
Fixed Clicking on links with references/anchors where target doesn't exist in the message not opening in external browser
Fixed Various security fixes
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2, and Thunderbird 52.2
52.1.1
Fixed Large attachments may not be shown or saved correctly if the message is stored in an IMAP folder which is not synchronized for offline use
Fixed Unable to load full message via POP if message was downloaded partially (or only headers) before
Fixed Some attachments can't be opened or saved if the message body is empty
Fixed Crash when compacting IMAP folder
* This release adjusts Pigeonhole to several changes in the Dovecot API,
making it depend on Dovecot v2.2.31. Previous versions of Pigeonhole
will produce compile warnings with the recent Dovecot releases (but
still work ok).
- Fixed bug in handling of implicit keep in some cases. Implicit
side-effects, such as assigned flags, were not always applied
correctly. This is in essence a very old bug, but it was exposed by
recent changes.
- include extension: Fixed segfault that (sometimes) occurred when the
global script location was left unconfigured.
* LMTP: Removed "(Dovecot)" from added Received headers. Some
installations want to hide it, and there's not really any good reason
for anyone to have it.
+ Add ssl_alt_cert and ssl_alt_key settings to add support for
having both RSA and ECDSA certificates.
+ dsync/imapc, pop3-migration plugin: Strip trailing whitespace from
headers when matching mails. This helps with migrations from Zimbra.
+ acl: Add acl_globals_only setting to disable looking up
per-mailbox dovecot-acl files.
+ Parse invalid message addresses better. This mainly affects the
generated IMAP ENVELOPE replies.
- v2.2.30 wasn't fixing corrupted dovecot.index.cache files properly.
It could have deleted wrong mail's cache or assert-crashed.
- v2.2.30 mail-crypt-acl plugin was assert-crashing
- v2.2.30 welcome plugin wasn't working
- Various fixes to handling mailbox listing. Especially related to
handling nonexistent autocreated/autosubscribed mailboxes and ACLs.
- Global ACL file was parsed as if it was local ACL file. This caused
some of the ACL rule interactions to not work exactly as intended.
- auth: forward_* fields didn't work properly: Only the first forward
field was working, and only if the first passdb lookup succeeded.
- Using mail_sort_max_read_count sometimes caused "Broken sort-*
indexes, resetting" errors.
- Using mail_sort_max_read_count may have caused very high CPU usage.
- Message address parsing could have crashed on invalid input.
- imapc_features=fetch-headers wasn't always working correctly and
caused the full header to be fetched.
- imapc: Various bugfixes related to connection failure handling.
- quota=imapc sent unnecessary FETCH RFC822.SIZE to server when
expunging mails.
- quota=count: quota_warning = -storage=.. was never executed
- quota=count: Add support for "ns" parameter
- dsync: Fix incremental syncing for mails that don't have Date or
Message-ID headers.
- imap: Fix hang when client sends pipelined SEARCH +
EXPUNGE/CLOSE/LOGOUT.
- oauth2: Token validation didn't accept empty server responses.
- imap: NOTIFY command has been almost completely broken since the
beginning. I guess nobody has been trying to use it.
