# SECURITY FIXES
* for CVE-2012-3482:
NTLM: fetchmail mistook an error message that the server sent in response to
an NTLM request for protocol exchange, tried to decode it, and crashed while
reading from a bad memory location.
Also, with a carefully crafted NTLM challenge packet sent from the server, it
would be possible that fetchmail conveyed confidential data not meant for the
server through the NTLM response packet.
Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
NTLM authentication in case of error.
See fetchmail-SA-2012-02.txt for further details.
Reported by J. Porter Clark.
* for CVE-2011-3389:
SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
against a certain kind of attack against cipher block chaining initialization
vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
Whether this creates an exploitable situation, depends on the server and the
negotiated ciphers.
As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
NOTE that this can cause connections to certain non-conforming servers to
fail, in which case you can set the environment variable
FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting
fetchmail to re-instate the compatibility option at the expense of security.
Reported by Apple Product Security.
For technical details, refer to <http://www.openssl.org/~bodo/tls-cbc.txt>.
See fetchmail-SA-2012-01.txt for further details.
# BUG FIX
* The Server certificate: message in verbose mode now appears on stdout like the
remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
* The GSSAPI-related autoconf code now matches gssapi.c better, and uses
a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
# CHANGES
* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
reference it (to fix the build) and if configured, print a run-time error
that the OS does not support SSLv2. Fixes Debian Bug #622054,
but note that that bug report has a more thorough patch that does away with
SSLv2 altogether.
* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
was dropped). The Creative Commons address was updated.
* The Python-related Makefile.am parts were simplified to avoid an automake
1.11.X bug around noinst_PYTHON, Automake Bug #10995.
* Configuring fetchmail without SSL now triggers a configure warning,
and asks the user to consider running configure --with-ssl.
# WORKAROUNDS
* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
a header request, in the face of message corruption. fetchmail now treats
these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed."
without any header in response to a header request for meeting reminder
messages (with a "meeting.ics" attachment). fetchmail now treats these as
transient errors. Report by John Connett, Patch by Sunil Shetye.
# TRANSLATION UPDATES
* [cs] Czech, by Petr Pisar
* [de] German
* [fr] French, by Frédéric Marchal
* [ja] Japanese, by Takeshi Hamasaki
* [pl] Polish, by Jakub Bogusz
* [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you!
* [vi] Vietnamese, by Trần Ngọc Quân
Requested by PR#45030.
fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
# SECURITY BUG FIXES
* CVE-2011-1947:
STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
set timeout (default five minutes) now. This was reported missing, with
observed fetchmail freezes beyond a week, by Thomas Jarosch.
SSL-wrapped connections were unaffected by this timeout, so users of older
versions can force ssl-wrapped connections -- if supported by the server --
with the --ssl command line or ssl rcfile option.
See fetchmail-SA-2011-01.txt for further details.
# BUG FIXES
* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
new messages and most of the range searches result in nothing. Instead, split
the long response to make the IMAP driver think that there are multiple lines
of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
there are too many old messages, the logs just get filled without any real
activity. (Sunil Shetye) (suggested by Yunfan Jiang)
* Build: fetchmail now always uses its own MD5 implementation rather than trying
to find a system library with matched header. The library and header variants
found on systems are too diverse, and the code size saving is not worth any
more wasted user or programmer time.
# CHANGES
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
there is no portable way to configure actual timeouts for this mode, and some
systems only support a system-wide timeout setting. fetchmail does not
attempt to tune the time spans of keepalive mode.
# TRANSLATION UPDATES
[cs] Chech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German (Matthias Andree)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
# KNOWN BUGS AND WORKAROUNDS
(this section floats upwards through the NEWS file so it stays with the
current release information - however, it was stuck with 6.3.8 for a while)
* fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* BSMTP is mostly untested and errors can cause corrupt output.
* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail does not track pending deletes over crashes.
* the command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
# ERRATUM NOTICE ISSUED
* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.
# BUG FIXES
* When specifying multiple local multidrop lists, do not lose wildcard flag.
(Affects "user foo is bar baz * is joe here")
* In multidrop configurations, an asterisk can now appear anywhere in the list
of local users, not just at the end.
* In multidrop mode, header parsing is now more verbose in -vv mode, so that it
becomes possible to see which header is used.
* Make --antispam work from command line (these used to work in rcfiles).
Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
documents. Skip validating Mailbox-Names-UTF7.html. Several systems have
broken XHTML 1.1 DTD installations that jeopardize the build.
Reported by Mihail Nechkin against FreeBSD port.
Workaround for 6.3.18: build in a separate directory, i. e:
mkdir build && cd build && ../configure --options-go-here
* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
and Derek Simkowiak via the fetchmail-users@ mailing list.
* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
server capabilities do not show support for upgradation to TLS.
To use this, configure --sslproto tls1. (Sunil Shetye)
* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
Yasin Malli to fetchmail-users@ 2010-12-10.
Note that fetchmail continues to expect literals as FETCH response for now.
# DOCUMENTATION
* The manual page now links to IANA for GSSAPI service names.
# TRANSLATION UPDATES
[cs] Czech (Petr Pisar)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[pl] Polish (Jakub Bogusz)
fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
* Fetchmail now only accepts wildcard certificate common names and subject
alternative names if they start with "*.". Previous versions would accept
wildcards even if no period followed immediately.
* Fetchmail now disallows wildcards in certificates to match domain literals
(such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
The test is overly picky and triggers if the pattern (after skipping the
initial wildcard "*") or domain consists solely of digits and dots, and thus
matches more than needed.
* Fetchmail now disallows wildcarding top-level domains.
# CRITICAL BUG FIXES AND REGRESSION FIXES
* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
functions, as an effect of an undocumented Solaris MD5 fix.
This caused all MD5-related functions to malfunction if, for instance,
libmd5.so was installed on other operating systems as part of libwww on
machines where long isn't 32-bits, i. e. usually on 64-bit computers.
Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
--sslfingerprint was specified. This is an omission from an SSL usability
change made in 6.3.17.
Fixes Debian Bug#580796 reported by Roland Stigge.
* Fetchmail will now apply timeouts to the authentication stage.
This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
Reported missing by Thomas Jarosch.
* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
errors, such as no or unsuitable credentials.
It now sends an asterisk on a line by its own, as required in SASL.
This fixes protocol synchronization issues that cause Authentication
failures, often observed with kerberized MS Exchange servers.
Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.
# BUG FIXES
* Fetchmail will no longer print connection attempts and errors for one host
in "silent" and "normal" logging modes, unless all connections fail. This
should reduce irritation around refused-connection logging if services are
only on an IPv4 socket if the host also supports IPv6. Often observed as
connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
all connect errors and only report them if all of them fail.
* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
credentials. However, if GSSAPI authentication is requested explicitly,
fetchmail will always try it.
* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
* The manual page clearly states that --principal is for Kerberos 4 only, not
for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
# CHANGES
* When encountering incorrect headers, fetchmail will refer to the bad-header
option in the manpage.
Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
* Fetchmail now decodes and reports GSSAPI status codes upon errors.
* Fetchmail now autoprobes NTLM also for POP3.
* The Fetchmail FAQ has a new item #R15 on authentication failures.
# INTERNAL CHANGES
* The common NTLM authentication code was factored out from pop3.c and imap.c.
# TRANSLATION UPDATES
[zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
- Security fixes for CVE-2009-2666, CVE-2007-4565 and CVE-2008-2711.
- Fetchmail no longer drops permanently undelivered messages by default,
to match historic documentation. It does this by adding a new
"softbounce" option.
- A lot bug fixes and improvements.
The list of changes since version 6.2.5.5 is too large to mention here.
The new version provides a fix for the vulnerability reported in the
fetchmail-SA-2006-02.txt advisory.
Change homepage to http://fetchmail.berlios.de/ and update MASTER_SITES.
Changes introduced since 6.2.5:
fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.
The fetchmail 6.2.5.X branch will be discontinued early in 2006.
fetchmail-6.2.5.5 2005-12-19 Matthias Andree
* SECURITY FIX CVE-2005-4348: fix null pointer dereference in
multidrop mode when the message is empty. Reported by Daniel Drake
<http://article.gmane.org/gmane.mail.fetchmail.user/7573> and others
(Debian Bug #343836). Fix by Sunil Shetye.
* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
fails. Fix suggested by Goswin Brederlow.
* Add fetchmail-SA-2005-{01,02,03}.txt
fetchmail-6.2.5.4 2005-11-13 Matthias Andree
* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
yacc or bison.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
the source directory), but prevent packaging from separated build, it
yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.
fetchmail-6.2.5.3 2005-11-12 Matthias Andree
* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Build environment: Update included gettext. Fix
--with-included-gettext. Fix parallel build (make -j). Fix "always
rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).
fetchmail-6.2.5.2
(patch Fri Jul 22 01:52 GMT 2005,
tarball Sat Jul 23 21:34 GMT 2005)
* README: Added a note about release status - READ IT!
* Note: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX CVE-2005-2335: truncate UIDL replies, lest malicious or
compromised POP3 servers overflow fetchmail's stack. Debian bug
#212762. This is a remote root exploit.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
The added patches add a prefix "fm_" to lock related finctions, to avoid name
clash with darwin lock functions. Link with -lresolv under darwin.
(thanks scole_at_sdf.lonestar.org for the patches)
Bump PKGREVISION
For more details have a look at
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
Changes listed within the NEWS file since 6.2.5:
fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):
* NOTE: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX: truncate UIDL replies, lest malicious or compromised
POP3 servers overflow fetchmail's stack. Debian bug #212762.
This is a remote root exploit. CVE Name: CAN-2005-2335.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
- use kerberos instead of kerberos5 as PKG_SUPPORTED_OPTIONS
to keep compliance with other kerberos aware packages in pkgsrc
- use the krb5 buildlink environment
Introduce support for gssapi which was also requested in pr pkg/26170 with
the according PKG_SUPPORTED_OPTIONS. gssapi will imply kerberos5.
Based on pr pkg/22650 by Adrian Portelli.
Changes since 6.2.3:
* Updated German, Spanish, Catalan, and Turkish translations.
* IDLE is now supported using no-ops even if the server doesn't support
the IMAP IDLE extension.
* Sunil Shetye's patch to do better password shrouding.
* Sunil Shetye's bug-fix rollup patch.
* Introduce a translation item for the word "seen".
* Back out the hack to deal with lack of byte stuffing on some POP3 servers.
* Thomas Steudten's patch to improve SMTP handling of 550 errors.
Changes since 6.2.2:
* German, Danish, Spanish, and Turkish translations updated.
* Brian Sammon's patch to deal with malformed message lines containiing NULs.
* Fai's patch to ignore all but the first Return-Path (some spams have
more than one of these).
* Benjamin Drieu's ptch to properly byte-stuff when talking to BSNTP.
Fixes Debian bug #184469.
* Benjamin Drieu's patch to enable auth=cram-md5.
Fixes Debian bug #185232.
* Sunil Shetye's configure.in patch to avoid spurious search order messages
from GCC.
* Header-reading code now copes better with lines ending in \n only.
* Elias Israel's patches for POP3 NTLM support and dealing with byte-
stuffing failures at socket level.
Changes since last version:
* Sunil Shetye's patch to improve behavior in empty messages.
* Conform to RFC2595; reissue capability probes after successful
STARTTLS negotiation.
* Sunil's patch to make handling of failed STARTTLS more graceful.
* Sunil's JF2 fix patch for .fetchmailrc security fix.
* Christophe GIAUME <christophe@giaume.com> finished the implementation
of RFC2177 IDLE.
* Jason Tishler's fix patch for Cygwin.
* Support ssh-style authentication in POP3
* Fix for Debian bug #108977, clean up config file evaluation,
by Benjamin Drieu.
changes since 6.1.0:
fetchmail-6.1.2 (Thu Oct 31 11:41:02 EST 2002), 22135 lines:
* Jan Klaverstijn's verbosity-lowering patch.
* Updated Turkish, German, Catalan, and Danish translation files.
* Fix processing of POP3 messages with missing bodies.
* Minor fixes by Sunil Shetye: fix generation of auth fail note, handle
unexpected SIGALRM, plug memory leak, handle lines beginning with '\0',
try to bulletproof error handling against read failures.
fetchmail-6.1.1 (Fri Oct 18 14:53:51 EDT 2002), 22087 lines:
* OTP fix patches from Stanislav Brabec <utx@penguin.cz>
* fix patch for writing antispam capability correctly in conf.c.
* Fix patches for Debian bugs #162571, #156592.
* Correction to manpage re -b and qmail.
* Patch to disable use of STLS if auth passwd is specified.
* Fix specfile generation to handle SSL correctly.
* New Danish, Turkish, and Catalan translation files.
* Improved ODMR debug messages.
* IMAP efficiency hack; don't fetch sizes unless needed.
* Detect and rewrite invalid return paths beginning with @.
* Fix for subtle freeing bug that suppressed information in some bounce msgs.
* Newline fix patches for internationalization files.
* Fix reversed test guarding authentication-failure warnings.
* Fix POP3 breakage starting at 5.9.14.
Changes since 5.9.6:
fetchmail-5.9.11 (Mon Apr 1 17:09:13 EST 2002), 21597 lines:
* Updated Turkish and Japanese translations.
* Added warning about auth failures on the GMX server.
* HMH's Debian 5.9.10 patches:
1. Fix minor typo in FAQ
2. Fix partial implementation of ESMTP auth, and some minor
fetchmailconf stuff
3. Add proper error reporting to bad logfile creation.
patch by Sunil Shetye <shetye@bombay.retortsoft.com>
4. Fix incredible aggravating bug that caused dataloss
risks if 4xx errors were returned by the MTA
5. Corrected version of the fix-timeouts-for-ssl and descriptor
leaking patches from Sylvain Benoist <sylvainb@whitepj.com>
Also fix outdated comments in driver.c
6. Sunil Shetye's patch to stop fetchmail from trying to fetch
twice with IMAP
7. Stop stupid complaint about turning off SSL being illegal
without SSL support.
8. Byrial Jensen <byrial@image.dk> i18n fixes
* Sunil Shetye's attribute patch.
* HMH's revised but untested SMTP authentication patch.
fetchmail-5.9.10 (Sun Mar 10 15:09:57 EST 2002), 21529 lines:
* Security fix: don't trust the message count passed back by the server.
fetchmail-5.9.9 (Sat Mar 9 08:54:28 EST 2002), 21508 lines:
* Renamed misnamed tr.po and da.po files
* Jakub Ulanowski's patch to fix SSL fingerprint handling.
* Matt Kraai's patch for supporting STLS over POP3.
* French translation updated.
* Debian fixes merged.
* Added maildrop (MDA shipped with courier) as fallback after procmail
and sendmail (thanks to Alexander Lazic <al-fetchmail@none.at>).
* ESMTP AUTH support from Wojciech Polak <polak@lodz.pdi.net>.
fetchmail-5.9.8 (Thu Feb 14 23:47:31 EST 2002), 21358 lines:
* Added de translation catalog; updated da and tr catalogs.
* vsprintf underflow fixes by Sunil Shetye.
* Added warning about IMS POP3 server.
* Mattyhias Andree's fix for a longstanding SSL hang bug.
* Fix yacc syntax bug when building with SSL.
* Sunil Shetye's patch for idle timeout during poll.
* Applied HMH's fix for the "message delimiter found in headers" code path
(Debian bug #128672).
fetchmail-5.9.7 (Sat Feb 2 00:33:40 EST 2002), 21330 lines:
* Minor fixes by HMH.
* Properly guard some transaction reporting in the SSL code.
* Updated German (de) po file. Added Turkish (tr) po file.
* Expunge edge case fix by Sunil Shetye.
* Fixes for some odd IMAP and SMTP edge cases by Sunil Shetye.
* UIDL bug fix by Matthias Andree.
* Use smtpaddress, if present, to set the return path on warning mail.
* Tell parser to object when SSL keyboard is used with SSL not compiled.
* GSSAPI and ODMR fixes by Tom Hughes.
supported on NetBSD, fix entries to better match english original
and be more condense, add couple missing spaces here and there.
Change already submitted to Jiri Pavlovsky, the maintainer of the czech
translation of fetchmail.
fetchmail-5.9.5 (Thu Nov 8 14:14:35 EST 2001), 21162 lines:
* Changed the logging logic along lines suggested by Jan Klaverstijn,
* fetchmailconf looks first in the directory it's running from to find
fetchmail.
* Make sure we vet a success status correctly from open_smtp_sink()
and open_bsmtp_sink().
* Matthias Andree's env.c patch to refuse service when QMAILINJECT is defined.
* Immediately abort if a non-empty QMAILINJECT environment variable is
found. If it is set and contains f or i, qmail-inject or qmail's
sendmail `compatibility' wrapper will rewrite From: or Message-ID:
headers, respectively. En passant, fix the bug that program_name was
not filled in before used when the user's ID had no PW entry, leading
to (null) or crash when printing the error message. Patch by Matthias
Andree.
* NextStep and OpenStep port patch from Eric Sunshine.
* Block signals during SockConnect() so we don't get a socket descriptor
leak if we're hit by an alarm signal during connect(2).
* Set queryname even when server is inactive; avoids a core-dump bug in
the fetchids code.
fetchmail-5.9.4 (Wed Oct 3 07:47:45 EDT 2001), 21104 lines:
* Finished license cleanup, all licenses in the distribution are now
officially GPL-compatible.
* Added a length check to from64tobits() after receiving a warning that
it might create buffer overflows. No exploitable overflows were found by
a careful case-by-case audit, and at minimum an exploit would have required
that the mailserver be subverted.
fetchmail-5.9.3 (Sun Sep 30 12:08:52 EDT 2001), 21075 lines:
* Fix configuration error in handling of long options.
* Thomas Moestl's patch to use querynames in UID files.
* Timeout to deal with long socket closes (Sunil Shetye).
* Move from RSA MD5 code to Colin Plumb's public-domain implementation (BSD
classic license eliminated)
* Rewrite strcasecmp() (BSD classic license eliminated).
* getopt_long is back for Solaris and HP-UX systems.
* Updated Danish po file.
* Re-enable explicit bounce message on bad address.
fetchmail-5.9.2 (Wed Sep 26 12:47:00 EDT 2001), 21118 lines:
* Enable code to build on Solaris again (long options won't work).
* Move Hesiod lookups to just before DNS lookups.
* Make sure the SICHLD handler is called when we run detached.
* Make kerberos5 in OpenBSD (Federico Schwindt <fgsch@olimpo.com.br>).
* Added FAQ item X8 on why mail sometimes gets an extra ) appended.
fetchmail-5.9.1 (Mon Sep 24 19:01:57 EDT 2001), 21120 lines:
* Make -D short option for --smtpaddress active again.
* Typo fix for Polish translation.
* Make sure IMAP capability checks are caseblind.
* Make sure suffix checks on akalists are properly caseblinded.
* All warning mail now has a generated date stamp.
* getopt.c and getopt1.c removed due to license incompatibility with OpenSSL.
* End of poll cycle is now logged.
* Sanity check now rejects SSL option if SSL support is not compiled in
(resolves Debian bug #109796).
* HMH's fix for the LMTP localhost/foo problem.
* Mike Warfield's fix for using a combined SSL cert and key in a single file.
* DNS lookups moved to just before the mailserver socket open, so fetchmail
now works OK even if started up without Internet access.
* Switched from _( to GT_( as a gettext macro, in order to avoid a
conflict with the SSL library.
fetchmail-5.8.6 (Tue Jun 12 08:16:54 EDT 2001), 20676 lines:
* Reject candidate headers for the MAIL FROM address that have \n in them.
* Add capability to insert poll trace data in the Received line.
* HMH's patch to prevent buffer overflow due to long headers. Addresses
Debian bug #100394.
* Brendan Kehoe's patch to avoid doing DNS lookups on skip entries.
There are 347 people on fetchmail-friends and 592 on fetchmail-announce.
fetchmail-5.8.5 (Tue May 29 20:01:39 EDT 2001), 20650 lines:
* Interface option fix from Alexander Kourakos.
* Fixes for i18n glitches and new Danish translation from Byrial Jensen.
* Attempted fix for Harry McGavran's problems with the Kerberos V build.
* Added fetchmailnochda.pl to the contrib directory.
* Sunil Shetye's patches for the seen count on IMAP and auto protocol.
There are 337 people on fetchmail-friends and 583 on fetchmail-announce.
fetchmail-5.8.4 (Mon May 21 15:08:03 EDT 2001), 20636 lines:
* SSL certificate options from Thomas Moestl <tmoestl@gmx.net>.
* Frantisek Brabec's patch for better UIDL error recovery.
* Another zombie-leak patch from HMH.
* Jorg de Jong's patch attempts to handle spaces in the ID part of UIDLs.
* Eliminate use of -C in Makefile.
There are 334 people on fetchmail-friends and 583 on fetchmail-announce.
Changes since 5.6.0:
fetchmail-5.7.0 (Thu Mar 1 18:00:08 EST 2001), 20131 lines:
* Updated Danish translation from Byrial Jensen.
* Fixed bug in NTLM support. Separately, "auth ntlm" now works.
* Imail server and vircom NTLM account added to test list.
* Don't require Tkinter to read --configdump output.
fetchmail-5.6.8 (Thu Feb 22 02:57:31 EST 2001), 20110 lines:
* `preauth' option changed back to `auth'
* IMAP code now bails out if the server forces the mailbox read-only.
* Fixed a core dump in Dave Zarzycki's new plugin code.
* POP3 latency optimization: only do CAPA and set authentication capabilities
from it once at start of run.
fetchmail-5.6.7 (Mon Feb 19 12:31:03 EST 2001), 20082 lines:
* Fixed brown-paper-bag password bug (only showed up if it was necessary
to prompt for a password). This fixes Debian bug #86350: Fetchmail doesn't
ask for password.
* In POP3, query for AUTH methods a la RFC2449.
fetchmail-5.6.6 (Thu Feb 15 20:43:47 EST 2001), 20083 lines:
* Fixed locale setting; this should make i18n actually work.
* Resolved Debian bug #85938: fetchmail asks for a password when using ETRN.
* Resolved Debian bugs #85853 and #86047. POP3: Don't issue AUTH between
USER and PASS, some servers choke on this.
* Resolved Debian bug #85772 re Kerberos compilation.
* Resolved Debian bug #85961: Wrong error message when local connection fails.
* Serious pre-release regression testing begins. This version tested
against 18 different POP3 and IMAP servers.
fetchmail-5.6.5 (Mon Feb 12 04:33:39 EST 2001), 20062 lines:
* CRAM-MD5 authentication of IMAP and POP3 is working. Tested against
IMAP4rev1 2000.287 and v2000.70 POP3 gateway at neo.netnea.com.
* Full support for POP3 AUTH (RFC1734) with KERBEROS_IV, GSSAPI, OTP.
This code has been completely refactored. In the process, it is
possible I have broken GSSAPI, KERBEROS, and OPIE; this needs to be tested.
The old IMAP-LOGIN, IMAP-GSS, and IMAP-K4 protocols are gone; fetchmail
now uses these automatically when it detects the right capabilities.
To prevent having fetchmail look for a password, specify a "preauth"
option other than "password".
* Noted that Debian bugs #78963, #63064, #81312, #78796, #78363, #78149,
#68627, #67559, #63308, #63088, #71428 are fixed.
* Resolved Debian bug #65505: fetchmail now returns a nonzero exit status
when interrupted before a successful fetch.
* configure --ssl works correctly again.
fetchmail-5.6.4 (Sun Feb 11 00:43:14 EST 2001), 20085 lines:
* ODMR port fix for AIX.
* Dave Zarzycki's fix for former FAQ item F5 (%h and %p not being expanded).
* Dave Zarzycki's fix to reap zombie processes when nodetach is set.
* Attempted fix for CRAM-MD5 problem with IMAP 2000.
fetchmail-5.6.3 (Wed Feb 7 10:56:21 EST 2001), 19901 lines:
* VPATH build fixed (thanks to Harry McGavran).
* Danny O'Brien's patch allowing preauth and idle to work together.
* Fixed a bug in configure.in that was resulting in KERBEROS_IV being
set when it should not have been (several reports).
* FAQ change: mailing lists have moved to MailMan.
* Deal with brain-dead netmind mail missing the RFC822 delimiter line.
* ODMR (RFC 2645) support -- untested and probably buggy!
fetchmail-5.6.2 (Fri Jan 5 16:45:47 EST 2001), 19744 lines:
* Dave Bodenstab's fix for the lockfile re-exec problem.
* Fixes for `principal' handling in fetchmailconf.
* Make --with-included-gettext work again (Thanks to Albert Chin-A-Young).
fetchmail-5.6.1 (Mon Dec 11 23:11:59 EST 2000), 19718 lines:
* More on ETRN in the FAQ.
* Horst Klokow's patch to make interface check the remote IP address.
* Roger Luethi's patch to write the UIDL file when you hit a fetchlimit.
* Don Beusee's patch to eliminate wedging on authentication failure.
Instead, fetchmail will now notify the user on the third failure, then
continue polling silently until service is restored (at which time the
user will get a notification).
* Samuel Leo's patch to add LMTP capability to the smtphost option.
* Fix UIDL handling on skip entries.
* Add Don Beusee's `spambounce' option (default off).
fetchmail-5.5.5 (Tue Oct 17 17:50:46 EDT 2000), 19523 lines:
* Killed a nasty segfault due to double-freeing of the header block.
* Updated Danish internationalization by Byrial Jensen.
* Added FAQ item X7 on attachment hangs.
fetchmail-5.5.4 (Sun Oct 8 10:57:37 EDT 2000), 19518 lines:
* Fall back on the computed queryname if we need the DNS name of a a host
and can't get it. Resolves Debian bug #69199.
* Andrej Borsenkow's fix for configuration with new SOCKS.
* Pavel Roskin's fix to build the RPM without libcrypto (Red Hat changed
the library name to libk5crypto in 6.2).
* Peter Backes's sm-hybrid patch added to contrib; more FAQ item T1 changes.
* Emiliano's patch to make dropdelivered and envelope interact properly.
* In fetchmailconf, always reset the port number when changing protocols.
* Patrick Bihan-Faou's changes to use sysctl() for interface checking
so fetchmail doesn't have to be suid kmem.
(if you have IPv4-only sendmail on dual stack node, 5.3.0 may fail to connect).
---
fetchmail-5.3.2 (Mon Mar 6 21:41:23 EST 2000), 18695 lines:
* Added experimental support for RFC2177 IDLE command extension of IMAP.
* Updated fr.po.
* Fixed a bug in fetchmailconf's handling of envelope skip prefixes.
* Don't nuke .fetchids when authorization failure keeps us from getting URLs.
* Added FAQ item X6 on dropped and mangled attachments, thanks to Rob Funk.
* Teach configure.in to link the RSA reference library if available.
* Disable saving of Message-IDs into UIDL lists.
fetchmail-5.3.1 (Sun Mar 5 23:02:42 EST 2000), 18648 lines:
* Use remotename@hostname for MAIL FROM if we have not been able to deduce
a Return-Path.
* Fix the attempted fix for Joop Susan's ENOTCONN bug.
* Added FAQ material on a Microsoft Exchange bug, on forwarding to
a different host than the one fetchmail runs on, and on using
ssh for a secure passwordless connection. Removed the FAQ entry
on popclient.
* Jun-ichiro itojun Hagino <itojun@iijlab.net> sent a fix for IPv6.
* Fix Red Hat 6.2beta bug 9982: fetchmailconf now automatically pups up
an edit panel whenever a new user or site is created.
* Fix Red Hat 6.2beta bug 9987: Deal gracefully with the possibility that
we might be running as a subprocess with stdin not attached to a tty,
and thus unable to query for a password.
* Resolved all current Debian bugs classed `important'; #43139, #44744, #44760,
#44774, #43140, #50990.
* Resolved Debian ordinary bugs #17769, #34383, #38303, #39732, #51674,
#53386, #53732, #58553.
* Resolved Debian wishlist bug #26630.
* Resolution of #59281 (still loops on Ctrl-C) involved a small change in
behavior; SIGPIPE now terminates the current poll cycle.
Changes since 5.2.4:
fetchmail-5.3.0 (Tue Feb 22 08:53:31 PST 2000), 18618 lines:
* Horst von Brand's improvements to the specfile generator.
* Joop Susan's improvements in error status reporting.
* Only emit progress dots when stdout is connected to a tty.
* Fix for GNATS bug 16468, "INET6 breaks fetchmail preconnect"
by Munechika SUMIKAWA <sumikawa@ebina.hitachi.co.jp>.
* Lexical analyzer now understands that -?[0-9]*[a-zA-Z] is not a number.
fetchmail-5.2.8 (Mon Feb 14 19:16:46 EST 2000), 18571 lines:
* Attempted fix for Joop Susan's ENOTCONN bug.
* Fix for NO response during SIZE fetches for M$ Exchange IMAP server.
* Thomas Zajic <zlatko@gmx.at> sent a change that copes with GMX X-UIDLs.
* Fix fetchmailconf's handling of ssl attributes when SSL is not configured.
* Handle IMAP folder names with embedded spaces.
* cs.po update from Jiri Pavlovsky.
* Make -d0 -v work when -a and -k are on.
* UID handling has been broken since 5.2.5. This version should work.
Thanks to Bruce Hauge <bruce_hauge@agilent.com> for testing.
fetchmail-5.2.7 (Sun Feb 6 20:45:41 EST 2000), 18517 lines:
* Updated FAQ.
* Updated es.po.
* Disable mail notification on server unreachable. This turned out to
be a very bad idea.
fetchmail-5.2.6 (Sat Feb 5 00:01:53 EST 2000), 18517 lines:
* Close down sockets using shutdown(2) and discarding read data until we
get a TCP FIN. With any luck this will squash our socket leak.
* Open the lockfile with O_SYNC, so we know the file has been written
before close (sigh...NFS might still betray us...).
* Added Martijn Lievaart's sendmail hacks for multidrop to the contrib
directory.
* Fix bug in processing of plugout option.
* AIX port tweak from Dave Marquardt <marquard@austin.ibm.com>.
* Add support for `ssh' preauth type to suppress password prompts at startup.
* Support for RFC2449 extended POP3 responses [IN-USE] and [LOGIN-DELAY].
* Log bounced messages via syslog (Debian bug #50184).
* Add scrollbars on fetchmailconf help windows (Debian bug #51770).
* Notify user by mail when pop server nonexistent (Debian bug #47143).
* Debian buglist cleanup.
fetchmail-5.2.5 (Mon Jan 31 02:02:48 EST 2000), 18445 lines:
* Fixed bugs in BSMTP generation reported by Jaap Lutz.
* Make fetchmailconf better at handling backslashes in usernames
and passwords.
* Jochen Hayek's patch to handle spaces in UID usernames.
fetchmailconf can be made usable by naive users without forcing this
package to depend on py-Tk (and X). Incidently update to 5.2.4:
* Fix bug introduced in 5.2.2 that stopped --syslog from working.
* Update for es.po, fr.po, cs.po.
* Message-string macros eliminated from driver.c so gettext can see them.
* Various useful to version reporting & configure.in fixes by Chip Salzenberg.
* Bernhard Rosenkraenzer's fix for broken Kerberos V configuration.
* Make --logfile work in foreground.
fetchmail-5.2.3 (Tue Jan 4 01:56:11 EST 2000), 18421 lines:
* Ken Estes's patch to check for unreachable UIDL file due to bad NFS mount.
* Jorge Godoy's replacement pt_BR.po and various minor translation fixes.
* Javier Kohen's replacement for es.po.
* Munechika SUMIKAWA's patch to make IPv6 version build when POP2 is enabled.
* Russian translation removed; it was badly garbled.
* Added Rick van Rein's fetchmaildistrib script to the contrib directory.
* Gunther Leber's cleanup patches.
* Note to translators: The bodies of the login-error and timeout-error
form letters have been changed in driver.c.
fetchmail-5.2.2 (Sun Dec 26 09:31:07 EST 1999), 18365 lines:
* Arrange for fetchmail to restart itself quietly when the rc file is touched.
* Improvements to IPv6 code from Jun-ichiro itojun Hagino <itojun@iijlab.net>.
* Drastic simplification of UIDL code, suggested by Ken Estes.
fetchmail-5.2.1 (Sun Dec 19 23:08:53 EST 1999), 18330 lines:
* Added FAQ item R10 on timeouts during messages.
* Fixed indentation problem in fetchmailconf.
* Federico Schwindt's patch to fix broken SSL configuration.
* Fixes to use fetchmail with IPv6 enabled on glibc without inet6-apps
installed; thanks to Arkadiusz Mis'kiewicz.
* Interpret IMAP PREAUTH tag correctly (from Joerg Dorchain).
* Upgraded to version 0.21 of smbutil.c. FAQ item S2 now documents
how to set a domain name.
fetchmail-5.1.4 (Sun Nov 7 17:40:21 EST 1999), 18302 lines:
* Mike Pearce's patch to fix a compile-time error recently introduced into
the socket code when HAVE_INET_ATON is off.
* Added warning to fetchmailconf autoprobe about a flaky Netscape IMAP server.
* Disable duplicate suppression when there is only one recognized recipient.
fetchmail-5.1.3 (Sun Oct 31 12:19:52 EST 1999), 18290 lines:
* Grant Edwards's patch to correct NTLM behavior.
* James Brister's fix for IP-address hostnames.
* Updated config.guess and config.sub.
* Backed out the 5.1.0 change to quote usernames with embedded spaces.
It actually breaks things.
* Added to fetchmailconf a warning about Imail IMAP servers.
* SSL patches by Michael Warfield merged in. Distribution still contains
no crypto code.
fetchmail-5.1.2 (Thu Oct 7 09:46:07 EDT 1999), 17906 lines:
* Joe Loughry <loughry@uswest.net> sent a patch to handle multihomed machines.
* Changed mimedecode default to `off'; it seems that doing RFC2047 decoding
on headers throws away information that the MUA may need to see.
* Change Received header parsing to no longer demand an embedded dot in
a mailhost address.
* Incorporated Grant Edwards's ntlmlib-0.2 with fixes for byte-order problems.
fetchmail-5.1.1 (Wed Sep 29 11:52:06 EDT 1999), 17827 lines:
* Added workaround, fetchmailconf warning, and FAQ about Novell GroupWise.
* Consistently show dummy arguments on manual page.
* Fix lexer to permit `antispam -1'.
* John Cigas's delay patch to avoid a timing problem with plugins.
* During IMAP authentication, canonicalize both name and password.
* -A has been retired (goes with authenticate -> preauthenticate change).
* Check for both fetchall and keep on in daemon mode; reject this.
* Fixed a logfile bug dumping IMAP-LOGIN and IMAP-CRAM-MD5.
* Tolerate a tunable constant number of authorization failures before
complaining and wedging.
fetchmail-5.0.8 (Tue Sep 14 06:56:50 EDT 1999):
* Todd Sabin's patch to accept spaces in CRAM-MD5 names.
* Fix to CRAM endianness patch, by Dan Root via Lawrence Rogers.
* Suppress duplicates by message ID in multidrop mode.
* NTLM support for querying Microsoft Exchange servers, from Grant Edwards.
* Lexer fix by Brian Boutel.
fetchmail-5.0.0 (Mon Apr 5 11:00:24 EDT 1999):
* Update for fetchsetup from Kent Robotti.
* Eliminate a realloc error in fetchmail -v -v progress message generation.
* Spanish-language update by Javier Kohen.
* French-language update by Guy Brand.
* Danish summary and description for specgen.sh.
* Henrik Storner's fix for the PGP/mimedecode problem.
* Fix netrc search code to be able to search >1 host entry per file.
* Added heads-up about SpryNet in the FAQ and a test in the autoprobe code.
* Removed the Hotmole script. Instead, the web page and FAQ now refer to it.
fetchmail-4.7.9 (Tue Mar 9 13:25:01 EST 1999):
* Patch by Dan Root to solve an endianness problem in IMAP-K4.
* Fix lexical-analyzer bug that rejected `set nobouncemail',
* Prevent send_bouncemail from stepping on SMTP antispam response.
* Added French internationalization (LC_ALL=fr) from Guy Brand.
* Added Hugo Rabson's script for fetching from Hotmail.
* Test for .fetchmailrc ownership using geteuid() when possible.
* Prevent parsing of delimited protocols from tripping up on a
MIME-armored line consisting of "=2E\r\n".
fetchmail-4.7.8 (Mon Feb 22 10:06:04 EST 1999):
* FreeBSD support for interface and monitor options by Andy Doran <ad@psn.ie>.
* Fixed server-deletion bug in fetchmailconf. Also, handle `port' properly.
* Timestamps now generated into logfiles at start of poll cycle.
* New `nobounce' debugging option (specifically exempted from feature freeze)
allows SMTP error bouncemail to be redirected from sender to local
postmaster.
* Suppress dancing progress dots when syslog is on.
* es.po update by Javier Kohen.
* Added FAQ material on what to do for a "do not relay" sendmail response.
* Can now build under Lynx 3.0.0.
fetchmail-4.7.7 (Tue Feb 2 18:57:04 EST 1999):
* Fixed off-by-one error in batchlimit logic (thanks to Brian Warner).
* Added MD5 checksums to web page.
* Get kernel type (and derive /proc/net/dev format) at startup.
* Fixes for fetchmailconf bugs reported by Gunther Leber.
* Return of the dancing progress dots!
