- Security fixes for CVE-2009-2666, CVE-2007-4565 and CVE-2008-2711.
- Fetchmail no longer drops permanently undelivered messages by default,
to match historic documentation. It does this by adding a new
"softbounce" option.
- A lot bug fixes and improvements.
Changes since version 6.3.6:
- Make the APOP challenge parser more distrustful and have it reject
challenges that do not conform to RFC-822 msg-id format, in the hope
to make mounting man-in-the-middle attacks (MITM) against APOP a bit
more difficult. (CVE-2007-1558)
- Fix pluralization of oversized-message warning mails.
- Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
"recommended:" in bold.
- Repoll immediately if a protocol error happens during the authentication
attempt after a failed opportunistic TLS upgrade.
- Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes
section.
- If SOCKS support was compiled in, add 'socks' to the feature_options
Python list emitted in --configdump.
- Do not crash with a null pointer dereference when opening the BSMTP file
fails. Improve error checking and reporting.
- Make BSMTP output actually work, it would persistently fail with SOCKET
error after writing the first header.
- Fix KPOP.
- Fix repoll when server disconnects after opportunistic TLS failed for
POP3.
The list of changes since version 6.2.5.5 is too large to mention here.
The new version provides a fix for the vulnerability reported in the
fetchmail-SA-2006-02.txt advisory.
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Several changes are involved since they are all interrelated. These
changes affect about 1000 files.
The first major change is rewriting bsd.builtin.mk as well as all of
the builtin.mk files to follow the new example in bsd.builtin.mk.
The loop to include all of the builtin.mk files needed by the package
is moved from bsd.builtin.mk and into bsd.buildlink3.mk. bsd.builtin.mk
is now included by each of the individual builtin.mk files and provides
some common logic for all of the builtin.mk files. Currently, this
includes the computation for whether the native or pkgsrc version of
the package is preferred. This causes USE_BUILTIN.* to be correctly
set when one builtin.mk file includes another.
The second major change is teach the builtin.mk files to consider
files under ${LOCALBASE} to be from pkgsrc-controlled packages. Most
of the builtin.mk files test for the presence of built-in software by
checking for the existence of certain files, e.g. <pthread.h>, and we
now assume that if that file is under ${LOCALBASE}, then it must be
from pkgsrc. This modification is a nod toward LOCALBASE=/usr. The
exceptions to this new check are the X11 distribution packages, which
are handled specially as noted below.
The third major change is providing builtin.mk and version.mk files
for each of the X11 distribution packages in pkgsrc. The builtin.mk
file can detect whether the native X11 distribution is the same as
the one provided by pkgsrc, and the version.mk file computes the
version of the X11 distribution package, whether it's built-in or not.
The fourth major change is that the buildlink3.mk files for X11 packages
that install parts which are part of X11 distribution packages, e.g.
Xpm, Xcursor, etc., now use imake to query the X11 distribution for
whether the software is already provided by the X11 distribution.
This is more accurate than grepping for a symbol name in the imake
config files. Using imake required sprinkling various builtin-imake.mk
helper files into pkgsrc directories. These files are used as input
to imake since imake can't use stdin for that purpose.
The fifth major change is in how packages note that they use X11.
Instead of setting USE_X11, package Makefiles should now include
x11.buildlink3.mk instead. This causes the X11 package buildlink3
and builtin logic to be executed at the correct place for buildlink3.mk
and builtin.mk files that previously set USE_X11, and fixes packages
that relied on buildlink3.mk files to implicitly note that X11 is
needed. Package buildlink3.mk should also include x11.buildlink3.mk
when linking against the package libraries requires also linking
against the X11 libraries. Where it was obvious, redundant inclusions
of x11.buildlink3.mk have been removed.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Based on pr pkg/22650 by Adrian Portelli.
Changes since 6.2.3:
* Updated German, Spanish, Catalan, and Turkish translations.
* IDLE is now supported using no-ops even if the server doesn't support
the IMAP IDLE extension.
* Sunil Shetye's patch to do better password shrouding.
* Sunil Shetye's bug-fix rollup patch.
* Introduce a translation item for the word "seen".
* Back out the hack to deal with lack of byte stuffing on some POP3 servers.
* Thomas Steudten's patch to improve SMTP handling of 550 errors.
Changes since 6.2.2:
* German, Danish, Spanish, and Turkish translations updated.
* Brian Sammon's patch to deal with malformed message lines containiing NULs.
* Fai's patch to ignore all but the first Return-Path (some spams have
more than one of these).
* Benjamin Drieu's ptch to properly byte-stuff when talking to BSNTP.
Fixes Debian bug #184469.
* Benjamin Drieu's patch to enable auth=cram-md5.
Fixes Debian bug #185232.
* Sunil Shetye's configure.in patch to avoid spurious search order messages
from GCC.
* Header-reading code now copes better with lines ending in \n only.
* Elias Israel's patches for POP3 NTLM support and dealing with byte-
stuffing failures at socket level.
Changes since last version:
* Sunil Shetye's patch to improve behavior in empty messages.
* Conform to RFC2595; reissue capability probes after successful
STARTTLS negotiation.
* Sunil's patch to make handling of failed STARTTLS more graceful.
* Sunil's JF2 fix patch for .fetchmailrc security fix.
* Christophe GIAUME <christophe@giaume.com> finished the implementation
of RFC2177 IDLE.
* Jason Tishler's fix patch for Cygwin.
* Support ssh-style authentication in POP3
* Fix for Debian bug #108977, clean up config file evaluation,
by Benjamin Drieu.
* Updated German, Turkish, Spanish, and Danish translation files.
* Integrated Sunil Shetye's patch to make mark_seen an explicit method.
* Removed FAQ warning about GMX and associated fetchmailconf check,
we have a report that its servers are conformant now.
* Another Sunil patch to fix a minor bug in bouncemail generation.
Changes since version 6.1.2:
- Applied Steffen Esser's fix for a buffer-overflow bug in rfc822.c
- Updated Danish, German, and Turkish translation files.
- Sunil Sheye's SMTP timeout patch.
- Updated Turkish, Danish, German, Spanish, Catalan po files.
- Added Slovak support.
- Configure.in update for autoconf 2.5 (Art Haas).
- Be case-insensitive when looking for IMAP responses.
- Fix logout-after-idle-delivery bug (Sunil Shetye).
- Sunil Shetye's patch to bulletproof end-of-header detection.
- Sunil's fix for the STARTTLS problem -- repoll if TLS nabdshake
fails. The attenmpt to set up STARTTLS can be suppressed with 'sslproto ""'.
changes since 6.1.0:
fetchmail-6.1.2 (Thu Oct 31 11:41:02 EST 2002), 22135 lines:
* Jan Klaverstijn's verbosity-lowering patch.
* Updated Turkish, German, Catalan, and Danish translation files.
* Fix processing of POP3 messages with missing bodies.
* Minor fixes by Sunil Shetye: fix generation of auth fail note, handle
unexpected SIGALRM, plug memory leak, handle lines beginning with '\0',
try to bulletproof error handling against read failures.
fetchmail-6.1.1 (Fri Oct 18 14:53:51 EDT 2002), 22087 lines:
* OTP fix patches from Stanislav Brabec <utx@penguin.cz>
* fix patch for writing antispam capability correctly in conf.c.
* Fix patches for Debian bugs #162571, #156592.
* Correction to manpage re -b and qmail.
* Patch to disable use of STLS if auth passwd is specified.
* Fix specfile generation to handle SSL correctly.
* New Danish, Turkish, and Catalan translation files.
* Improved ODMR debug messages.
* IMAP efficiency hack; don't fetch sizes unless needed.
* Detect and rewrite invalid return paths beginning with @.
* Fix for subtle freeing bug that suppressed information in some bounce msgs.
* Newline fix patches for internationalization files.
* Fix reversed test guarding authentication-failure warnings.
* Fix POP3 breakage starting at 5.9.14.
Because of the recent vulnerability, it is strongly encouraged to update
(http://security.e-matters.de/advisories/032002.html).
Thanx to Alan Post <apost@interwoven.com> for giving me a note.
fetchmail-6.1.0 (Sun Sep 22 18:31:23 EDT 2002), 21999 lines:
* Updated French translation.
* Stefan Esser's fix for potential remote vulnerability in multidrop mode.
This is an important security fix!
fetchmail-6.0.0 (Tue Sep 17 19:48:25 EDT 2002), 21972 lines:
* Applied Matt Kraai's fix for minor Debian bug #144539.
* Nerijus Baliunas's patch to support STARTTLS over IMAP.
* More cleanups and minor bugfixes from Sunil Shetye.
* Default antispam-response list is now empty.
* Updated de and po translations,
fetchmail-5.9.14 (Fri Sep 6 05:03:25 EDT 2002), 21932 lines:
* Sunil Shetye's patch to eliminate multiple bounces.
* Moritz Jodeit <moritz@jodeit.org>'s patch for re-exec with no args.
* Sunil Shetye's patch to solve the re-exec problem with relative files.
* Cygwin portability patch (use ROOT_UID) from Jason Tishler.
* Workaround for the CAPA error problem is documented in the FAQ.
* Updated Polish, Danish, and Catalan translations.
* Sunil Shetye's patch to improve CAPA error handling.
* Sunil Shetye's patch to improve handling of unreadable boxes in POP3.
* Berkeley port fix for Kerberos IV.
extension Makefile fragments, because they really don't have anything to
do with the buildlink[12] frameworks. Change all the Makefiles that use
application.buildlink.mk and extension.buildlink.mk to use application.mk
and extension.mk instead.
Changes since 5.9.6:
fetchmail-5.9.11 (Mon Apr 1 17:09:13 EST 2002), 21597 lines:
* Updated Turkish and Japanese translations.
* Added warning about auth failures on the GMX server.
* HMH's Debian 5.9.10 patches:
1. Fix minor typo in FAQ
2. Fix partial implementation of ESMTP auth, and some minor
fetchmailconf stuff
3. Add proper error reporting to bad logfile creation.
patch by Sunil Shetye <shetye@bombay.retortsoft.com>
4. Fix incredible aggravating bug that caused dataloss
risks if 4xx errors were returned by the MTA
5. Corrected version of the fix-timeouts-for-ssl and descriptor
leaking patches from Sylvain Benoist <sylvainb@whitepj.com>
Also fix outdated comments in driver.c
6. Sunil Shetye's patch to stop fetchmail from trying to fetch
twice with IMAP
7. Stop stupid complaint about turning off SSL being illegal
without SSL support.
8. Byrial Jensen <byrial@image.dk> i18n fixes
* Sunil Shetye's attribute patch.
* HMH's revised but untested SMTP authentication patch.
fetchmail-5.9.10 (Sun Mar 10 15:09:57 EST 2002), 21529 lines:
* Security fix: don't trust the message count passed back by the server.
fetchmail-5.9.9 (Sat Mar 9 08:54:28 EST 2002), 21508 lines:
* Renamed misnamed tr.po and da.po files
* Jakub Ulanowski's patch to fix SSL fingerprint handling.
* Matt Kraai's patch for supporting STLS over POP3.
* French translation updated.
* Debian fixes merged.
* Added maildrop (MDA shipped with courier) as fallback after procmail
and sendmail (thanks to Alexander Lazic <al-fetchmail@none.at>).
* ESMTP AUTH support from Wojciech Polak <polak@lodz.pdi.net>.
fetchmail-5.9.8 (Thu Feb 14 23:47:31 EST 2002), 21358 lines:
* Added de translation catalog; updated da and tr catalogs.
* vsprintf underflow fixes by Sunil Shetye.
* Added warning about IMS POP3 server.
* Mattyhias Andree's fix for a longstanding SSL hang bug.
* Fix yacc syntax bug when building with SSL.
* Sunil Shetye's patch for idle timeout during poll.
* Applied HMH's fix for the "message delimiter found in headers" code path
(Debian bug #128672).
fetchmail-5.9.7 (Sat Feb 2 00:33:40 EST 2002), 21330 lines:
* Minor fixes by HMH.
* Properly guard some transaction reporting in the SSL code.
* Updated German (de) po file. Added Turkish (tr) po file.
* Expunge edge case fix by Sunil Shetye.
* Fixes for some odd IMAP and SMTP edge cases by Sunil Shetye.
* UIDL bug fix by Matthias Andree.
* Use smtpaddress, if present, to set the return path on warning mail.
* Tell parser to object when SSL keyboard is used with SSL not compiled.
* GSSAPI and ODMR fixes by Tom Hughes.
fetchmail-5.9.6 (Fri Dec 14 04:03:50 EST 2001), 21247 lines:
* OPIE bug fixes by Jun Miyoshi <usako@omnisci.co.jp>.
* Documented known IDLE bug in the todo.html file.
* Sunil Shetye's fix for a timeout/reconnect bug.
* LMTP fix from Toshiro HIKITA <toshi@sodan.org>.
* The duplicate-killer doesn't try to operate if we can get an actual
recipient address from the trace headers.
fetchmail-5.9.5 (Thu Nov 8 14:14:35 EST 2001), 21162 lines:
* Changed the logging logic along lines suggested by Jan Klaverstijn,
* fetchmailconf looks first in the directory it's running from to find
fetchmail.
* Make sure we vet a success status correctly from open_smtp_sink()
and open_bsmtp_sink().
* Matthias Andree's env.c patch to refuse service when QMAILINJECT is defined.
* Immediately abort if a non-empty QMAILINJECT environment variable is
found. If it is set and contains f or i, qmail-inject or qmail's
sendmail `compatibility' wrapper will rewrite From: or Message-ID:
headers, respectively. En passant, fix the bug that program_name was
not filled in before used when the user's ID had no PW entry, leading
to (null) or crash when printing the error message. Patch by Matthias
Andree.
* NextStep and OpenStep port patch from Eric Sunshine.
* Block signals during SockConnect() so we don't get a socket descriptor
leak if we're hit by an alarm signal during connect(2).
* Set queryname even when server is inactive; avoids a core-dump bug in
the fetchids code.
