* Lightning cannot be disabled by users in build time.
Remove mozilla-lightning option.
Changelog:
78.2.1
Changes
changed OpenPGP enabled by default
changed OpenPGP: Disabled the use of MD5/SM2/SM3 algorithms
Fixes
fixed OpenPGP: Users with sub-identities were unable to encrypt or sign messages when switching identities
fixed OpenPGP message security window did not support dark mode
78.2.0
Changes
changed OpenPGP Key generation now disabled when there is no default mail account configured
changed OpenPGP: Encrypt saved drafts when OpenPGP is enabled
changed Twitter search removed
changed Calendar: Event summary dialog is now themeable
changed MailExtensions: Some APIs now use defineLazyPreferenceGetter in order to benefit from caching
Fixes
fixed OpenPGP Key Manager search function did not work
fixed OpenPGP Key Properties dialog was sometimes too small
fixed OpenPGP: Encrypted email would not send if address contained uppercase characters
fixed OpenPGP: "Key ID" column could not be resized in Key Manage
fixed OpenPGP: Keys containing invalid UTF-8 strings could not be imported
fixed OpenPGP: Enable automatic signing for encrypted messages in additional scenarios
fixed Many more OpenPGP bug fixes and improvements
fixed IMAP fetch chunk size was always 65536 bytes
fixed IMAP server capabilities were not rechecked after upgrading to SSL/TLS connection
fixed Message Composer: Order of attachments could not be modified using drag & drop
fixed Composing messages with a "fixed width" font did not work
fixed Drag and drop of address book contacts did not work in some situations
fixed Address book migration failed when there was a dot in the file name
fixed Address book: "Always prefer display name over message header" was always checked when editing a contact
fixed Address book performance optimizations
fixed Dialog to add a new mail account from "Account Settings" did not open
fixed "Select All" (Ctrl+A) in message source did not work until focused with a mouse click
fixed Ctrl+scroll wheel not zooming in message reader
fixed Setting/changing a signature from a file lost when closing account settings
fixed Adaptive Junk Mail settings could not be disabled
fixed Message filter dialog fixes: Missing scrollbar, drop-down list not wide enough
fixed Various UX and theme improvements
78.1.1
Changes
changed Building OpenPGP shared library linked to system libraries now supported
changed MailExtension errors now shown in Developer Tools console by default
changed MailExtensions: Dynamic registration of calendar providers now supported
Fixesr
fixed OpenPGP improvements
fixed Message preview was sometimes blank after upgrading from Thunderbird 68
fixed Email addresses whitelisted for remote content not displayed in preferences
fixed Importing data from Seamonkey did not work
fixed Renaming a mail list did not update the side bar
fixed MailExtensions: messenger.* namespace was undefined
78.1.0
What's New
new OpenPGP support is now feature complete. Improvements: new Key Wizard, online searching for OpenPGP keys, and more
new The preferences tab now has a search field
Changes
changed Dark background in message reader is now disabled
Fixes
fixed Thunderbird startup was slow when using folder color customizations with many folders. Previously configured colors will not be migrated.
fixed Mail quota usage in status bar did not support terabyte folder sizes
fixed Changing Junk mail settings with keyboard toggled wrong setting
fixed Advanced IMAP server preferences not saved in Account Manager
fixed Address book migration updates and fixes
fixed Address book: Last Modified Date was not updated
fixed Dark mode improvements
fixed Various security fixes
Security fixes:
#CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker
#CVE-2020-6514: WebRTC data channel leaks internal address to peer
#CVE-2020-15655: Extension APIs could be used to bypass Same-Origin Policy
#CVE-2020-15653: Bypassing iframe sandbox when allowing popups
#CVE-2020-6463: Use-after-free in ANGLE gl::Texture::onUnbindAsSamplerTexture
#CVE-2020-15656: Type confusion for special arguments in IonMonkey
#CVE-2020-15658: Overriding file type when saving to disk
#CVE-2020-15657: DLL hijacking due to incorrect loading path
#CVE-2020-15654: Custom cursor can overlay user interface
#CVE-2020-15659: Memory safety bugs fixed in Thunderbird 78.1
78.0.1
What's New
new OpenPGP: Key revocation, extending key expiration, and secret key backup
Fixes
fixed Drag & Drop multiple attachments to macOS Finder created duplicate files
fixed Faceted search date and relevance settings not saved
fixed FileLink attachments included as a link and file when added from a network drive via drag & drop
fixed About Thunderbird dialog keyboard shortcuts did not work
fixed CC'd recipients sometimes displayed collapsed in header pane
fixed Incremental search in contacts sidebar did not always display local results when an LDAP server was also in use
fixed Contacts sidebar search results cleared after removing a contact
fixed OpenPGP: Messages with long Armor Header lines did not display
fixed OpenPGP: Messages containing non-UTF-8 text were not supported
fixed Various UI and theming fixes
fixed Chat: Participants list did not display operator flags
Changelog:
With "smtp_tls_connection_reuse = yes", tlsproxy(8) was using the wrong global
TLS context for connections that use DANE trust anchors or that use non-DANE
trust anchors. This resulted in a global certificate verify function pointer
race, between TLS handshakes that use trust achors and concurrent TLS
handshakes that use PKI. No memory was corrupted in the course of all this.
Reference: http://www.postfix.org/announcements/postfix-3.5.7.html
upstream changes:
-----------------
fetchmail-6.4.8 (released 2020-06-14, 27596 LoC):
## NEW TRANSLATION, with thanks to the translator:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
- Sorry, this was missed earlier because my translation scripts did not properly
report new translations.
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used, for instance,
for mailbox sizes, and misreports sizes of 2 GibiB and beyond.
Fixing this requires C89 compatibility to be relinquished.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
---------------------------------------------------------------------------------
fetchmail-6.4.7 (released 2020-06-14, 27596 LoC):
## TRANSLATION UPDATE, with thanks to the translator:
* sv: Göran Uddeborg [Swedish]
-------------------------------------------------------------------------------
fetchmail-6.4.6 (released 2020-05-29, 27596 LoC):
## TRANSLATION UPDATE, with thanks to the translator:
* eo: Felipe Castro [Esperanto]
--------------------------------------------------------------------------------
fetchmail-6.4.5 (released 2020-05-07, 27596 LoC):
## REGRESSION FIX:
* fetchmail 6.4.0 and 6.4.1 changed the resolution of the home directory
in a way that requires SUSv4 semantics of realpath(), which leads to
'Cannot find absolute path for... directory' error messages followed by aborts
on systems where realpath() follows strict SUSv2 semantics and returns
EINVAL if the 2nd argument is NULL.
On such systems, for instance, Solaris 10, fetchmail requires PATH_MAX to be
defined, and will then work again. Regression reported by David Hough.
On systems that neither provide auto-allocation semantics for realpath(),
nor PATH_MAX, fetchmail will print this error and abort. Such systems
are unsupported, see README.
## CHANGES:
* Add a test program fm_realpath, and a t.realpath script, neither to be
installed. These will test resolution of the current working directory.
## TRANSLATION UPDATES in reverse alphabetical order of language codes,
## with my thanks to the translators:
* zh_CN: Boyuan Yang [Chinese (simplified)]
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
* ja: Takeshi Hamasaki [Japanese]
* fr: Frédéric Marchal [French]
* cs: Petr Pisar [Czech]
--------------------------------------------------------------------------------
fetchmail-6.4.4 (released 2020-04-26, 27530 LoC):
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATOR:
* ja: Takeshi Hamasaki [Japanese]
--------------------------------------------------------------------------------
fetchmail-6.4.3 (released 2020-04-05, 27530 LoC):
## BUGFIXES:
* Plug memory leaks when parts of the configuration (defaults, rcfile, command
line) override one another.
* fetchmail terminated the placeholder command string too late and included
garbage from the heap at the end of the string. Workaround: don't use place-
holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging
Gitlab merge request !5 in order to fix an input buffer overrun.
Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
Reported by Stefan Thurner, Gitlab issue #16.
* Fetchmail now checks for errors when trying to read the .idfile,
Gitlab issue #3.
* Fetchmail's error messages that reports that the defaults entry isn't the
first was made more precise. It could be misleading if there was a poll or
skip statement before the defaults.
## CHANGES:
* Fetchmail documentation was updated to require OpenSSL 1.1.1.
OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019.
Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that
distributors backport security fixes as the need arises.
Fetchmail will also warn if another SSL library that is API-compatible
with OpenSSL lacks TLS v1.3 support.
* If the trust anchor is missing, fetchmail refers the user to README.SSL.
## INTERNAL CHANGES:
* The AC_DECLS(getenv) check was removed, its only user was broken and not
accounting for that AC_DECLS always defines HAVE_DECL_... to 0 or 1, so
fetchmail never declared a missing getenv() symbol (it was testing with
#ifdef). Remove the backup declaration. getenv is mandated by SUSv2 anyways.
## UPDATED TRANSLATIONS - WITH THANKS TO THE TRANSLATORS:
* sq: Besnik Bleta [Albanian]
* zh_CN: Boyuan Yang [Chinese (simplified)]
* pl: Jakub Bogusz [Polish]
* cs: Petr Pisar [Czech]
* fr: Frédéric Marchal [French]
* sv: Göran Uddeborg [Swedish]
* eo: Felipe Castro [Esperanto]
upstream changes:
-----------------
Fixed in Postfix versions 3.5.6, 3.4.16, 3.3.14, 3.2.19:
* One fix for memory leaks in the Postfix TLS library was back-ported to the wrong place, resulting in undefined program behavior.
Fixed in Postfix versions 3.5.6, 3.4.16:
* The workaround for allowed TLS protocol versions did not explictly override the system-wide OpenSSL configuration, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry.
Fixed in Postfix versions 3.5.5, 3.4.15, 3.3.13, 3.2.18:
* Workaround for unexpected TLS interoperability problems when Postfix runs on OS distributions with system-wide OpenSSL configurations.
* Memory leaks in the Postfix TLS library, the largest one involving multiple kBytes per peer certificate.
Update based on wip/mailman by Jesus Cea.
Clean some pkglint while here.
2.1.34 (26-Jun-2020)
i18n
- The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
- The fix for LP: #1859104 can result in ValueError being thrown on
attempts to subscribe to a list. This is fixed and extended to apply
REFUSE_SECOND_PENDING to unsubscription as well. (LP: #1878458)
- DMARC mitigation no longer misses if the domain name returned by DNS
contains upper case. (LP: #1881035)
- A new WARN_MEMBER_OF_SUBSCRIBE setting can be set to No to prevent
mailbombing of a member of a list with private rosters by repeated
subscribe attempts. (LP: #1883017)
- Very long filenames for scrubbed attachments are now truncated.
(LP: #1884456)
Although the package itself builds when pkgsrc is bootstrapped in
unprivileged mode, the pkgsrc +INSTALL/+DEINSTALL scripts fail, causing
bulk build noise:
=> Creating binary package /wrk/mail/qmail/work/.packages/qmail-1.03nb49.tgz
fatal: unable to find user alias
===========================================================================
ERROR: instchown exited 111.
Permissions are likely wrong, and/or the queue may be uninitialized.
===========================================================================
pkg_add: install script returned error status
pkg_add: 1 package addition failed
2020-08-21 Richard Russon <rich@flatcap.org>
* Bug Fixes
- fix maildir flag generation
- fix query notmuch if file is missing
- notmuch: don't abort sync on error
- fix type checking for send config variables
* Changed Config
- `$sidebar_format` - Use `%D` rather than `%B` for named mailboxes
* Translations
- 96% Lithuanian
- 90% Polish
The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.
3.2.5
Added
IMAP Daemon: added switch to control the diffential state reload
(mailbox_update_strategy=2), more information in dbmail.conf,
mailbox_update_strategy_2_max_iterations [#81]
IMAP Daemon: added switch to control UNSEEN first message in SELECT commands
Changed
IMAP Daemon: allow reporting UID COPY success in case of various failures
(except quota), reporting issues are sent to error log as warnings [#87]
Optimizations
optimizing differential state [#81]
optimizing fetch message headers [#85]
Issues
fixing issue related to copy message in regard to RFC 3501, section 6.4.8
fixing issues related group_concat for PostgreSql [#75], [#78]
fixing issue related to lastRowId [#71]
fixing issues related with differential update [#70], [#73]
fixing proc not being used in BSD systems [#74]
IMAP Daemon: segmentation fault [#68]
3.2.4
Added
IMAP Daemon: mailbox-update-strategy switch (see dbmail.conf), experimental
support for application_name in database connection uri
IMAP Daemon: mailbox_search_strategy switch (see dbmail.conf)
Changed
systemd unit changed to type notify
mailbox state is build using only valid messages [#39]
Optimizations
IMAP Daemon: optimization of sql queries in relation to message headers
libevent increased priority on accepting new connections
libevent optimization on reading and writing to sockets
simplify libzdb configuration (AC_CHECK_HEADERS)
Issues
fix segmentation fault in imap_append_hash_as_string [#12]
dbmail-users: sql issue on deleting alias user [#18]
IMAP Daemon: generation of invalid BODYSTRUCTURE in Content-Type field [#23]
fix support for jemalloc latest version [#35]
IMAP Deamon: BYE Command now offers optional message even on normal operations
IMAP Deamon: idle message now offers optional message (* OK Still Here)
IMAP Daemon: random hangs when single user is connected [#37]
fix fd leaks
IMAP Daemon: fix MODIFIED keyword, too many '[' and ']'
fix segmentation fault in find_end_of_header
fix gcc 10 compilation issue, duplicated definition
2020-08-14 Richard Russon <rich@flatcap.org>
* Security
- Add mitigation against DoS from thousands of parts
* Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add `cd` command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
* Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in `cmd_parse_expunge()`
- Fix setting attributes with S-Lang
- Fix: redrawing of `$pager_index_lines`
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named mailboxes
- Fix retrieval of drafts when "postponed" is not in the mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
* Changed Config
- Add `$copy_decode_weed`, `$pipe_decode_weed`, `$print_decode_weed`
- Change default of `$crypt_protected_headers_subject` to "..."
- Add default keybindings to history-up/down
* Translations
- 100% Czech
- 100% Spanish
* Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
* Docs
- Add a brief section on stty to the manual
- Update section "Terminal Keybindings" in the manual
- Clarify PGP Pseudo-header `S<id>` duration
* Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
* Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known "message" types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted replies
- Change postpone mode to write Date header too
- Unstuff `format=flowed`
Distfile changes.
1. Official annoucne says "The only change here is that the configure.ac
file has correctly formatted version number."
2. Name of distfile is changed to match previous file naming scheme.
Old distfile is still available.
3. automake 1.15.1 is used instead of previous 1.15. So, generated files
by it are changed.
4. Other files are not changed, so there is no functional change.
Bump PKGREVISION.
correct install_name_tool -id on macOS, where this fixes CHECK_SHLIBS
(and probably runtime behavior too). While here, the patch to link with
-lrt on NetBSD has been upstreamed; remove. Bump PKGREVISION.
Update dovecot2-pigeonhole to 0.5.11.
v0.5.11 2020-08-12 Aki Tuomi <aki.tuomi@open-xchange.com>
* managesieve: managesieve_max_line_length setting is now a "size" type
instead of just number of bytes. This allows using e.g. "64k" as the
value.
- lib-sieve: When folding white space is used in the Message-ID header,
it is not stripped away correctly before the message ID value is used,
causing e.g. garbled log lines at delivery.
Update roundcube to 1.4.8, security release.
RELEASE 1.4.8
-------------
- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
- Managesieve: Fix too-small input field in Elastic when using custom headers (#7498)
- Fix support for an error as a string in message_before_send hook (#7475)
- Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
- Elastic: Fix deleted and replied+forwarded icons on messages list (#7503)
- Managesieve: Allow angle brackets in out-of-office message body (#7518)
- Fix bug in conversion of email addresses to mailto links in plain text messages (#7526)
- Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
- Fix incorrect rewriting of internal links in HTML content (#7512)
- Fix handling links without defined protocol (#7454)
- Fix paging of search results on IMAP servers with no SORT capability (#7462)
- Fix detecting special folders on servers with both SPECIAL-USE and LIST-STATUS (#7525)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg content [CVE-2020-16145]
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious math content
* Drop support for EOL Python 3.4, add support for Python 3.8
* Add List_ID and List_Post headers to the generated emails
* Add a new `reply-changes` setting
* Improve configurability of text wrapping for the emails
* Use `platform.node()` instead of "dev.null.invalid" in
"Message-ID" header
* Improve locking support for when multiple rss2email instances are run
in parallel
* Fix handling of __VERSION__ and __URL__ in user-agent strings
* Fix opmlexport
Use res_ndestroy() instead of res_nclose() to properly cleanup resources
on NetBSD (and others that use __res_ndestroy() or res_ndestroy() instead
of res_nclose()). Original patch by Roy Marples.
Upstream changes:
version 3.005: Wed 22 Jul 10:40:05 CEST 2020
Improvements:
- warn to use ::SMTP, not ::SendMail on bulk messages.
- much lower elapse time on ::SMTP (local?) delivery.
version 3.004: Fri 3 May 09:29:07 CEST 2019
Improvements:
- add imap/imap4
Enigmail 2.1.7
Released 2020-06-27, works with Thunderbird 68 and Postbox 7.
Notable Changes
This release displays information about the upcoming release of Thunderbird 78.
This is a bug-fix release fixing a problem resetting access times that snuck
in starting with 1.11.0. This only affected relative-path mailboxes, but
caused Mutt to "forget" new mail in mbox files.
Changelog:
Notmuch 0.30 (2020-07-10)
=========================
S/MIME
------
Handle S/MIME (PKCS#7) messages -- one-part signed messages, encrypted
messages, and multilayer messages. Treat them symmetrically to
OpenPGP messages. This includes handling protected headers
gracefully.
If you're using Notmuch with S/MIME, you currently need to configure
gpgsm appropriately.
Mixed-up MIME Repair
--------------------
Detect and automatically repair a common form of message mangling
created by Microsoft Exchange (see index.repaired=mixedup in
notmuch-properties(7)).
Protected Headers
-----------------
Avoid indexing the legacy-display part of an encrypted message that
has protected headers (see
index.repaired=skip-protected-headers-legacy-display in
notmuch-properties(7)).
Python
------
Drop support for python2, focus on python3.
Introduce new CFFI-based python bindings in the python module named
"notmuch2". Officially deprecate (but still support) the older
"notmuch" module.
Dependencies
------------
Support for Xapian 1.2 is removed. The minimum supported version of
Xapian is now 1.4.0.
Notmuch 0.29.3 (2019-11-27)
===========================
General
-------
Fix for use-after-free in notmuch_config_list_{key,val}.
Fix for double close of file in notmuch-dump.
Debian
------
Drop python2 support from shipped debian packaging.
Notmuch 0.29.2 (2019-10-19)
===========================
General
-------
Fix for file descriptor leak when opening gzipped mail files. Thanks
to James Troup for the bug report and the fix.
Notmuch 0.29.1 (2019-06-11)
===========================
Build
-----
Fix for installation failure with `configure --without-emacs`.
Update roundcube to 1.4.7.
RELEASE 1.4.7
-------------
- Fix bug where subfolders of special folders could have been duplicated on folder list
- Increase maximum size of contact jobtitle and department fields to 128 characters
- Fix missing newline after the logged line when writing to stdout (#7418)
- Elastic: Fix context menu (paste) on the recipient input (#7431)
- Fix problem with forwarding inline images attached to messages with no HTML part (#7414)
- Fix problem with handling attached images with same name when using database_attachments/redundant_attachments (#7455)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Changelog:
Fixes
fixed Chat: Topics displayed some characters improperly
fixed Calendar: Filtering tasks did not work when "Incomplete Tasks" was selected
Security fixes:
CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#MFSA-2020-0001: Automatic account setup leaks Microsoft Exchange login credentials
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
Update postfix to 3.5.4.
Fixed in Postfix 3.5.4, 3.4.14:
* The connection_reuse attribute in smtp_tls_policy_maps always
resulted in an "invalid attribute name" error. Fix by Thorsten
Habich.
* SMTP over TLS connection reuse always failed for Postfix SMTP
client configurations that specify explicit trust anchors (remote
SMTP server certificates or public keys). Reported by Thorsten
Habich.
Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:
* The Postfix SMTP client's DANE implementation would always send
an SNI option with the name in a destination's MX record, even
if the MX record pointed to a CNAME record. MX records that
point to CNAME records are not conformant with RFC5321, and so
are rare.
Based on the DANE survey of ~2 million hosts it was found that
with the corrected SMTP client behavior, sending SNI with the
CNAME-expanded name, the SMTP server would not send a different
certificate. This fix should therefore be safe.
Instead:
1. Package makefiles including their own options.mk
2. Packages say "SUBST_CLASSES+=djberrno" to get the hack, if needed
3. Packages adjust SUBST_FILES.djberrno, if needed
Should fix bulk build failures due to multiple inclusions of options.mk
and/or incorrect definitions of DJB_ERRNO_HACK.
Approved during the freeze by wiz@.
This release fixes a regression from the 1.14.3 release. Encryption settings
are no longer checked when using $tunnel to connect to a preauthenticated IMAP
server.
Remove some patches that would get voting rights soon.
Remove support for NetBSD 1.5.
pkglint cleanup.
XXX: someone should send the remaining patches upstream.
Mutt 1.14.4 was released on June 18, 2020. This is an important
bug-fix release. It fixes a possible machine-in-the-middle response
injection attack when using STARTTLS with IMAP, POP3, and SMTP
(CVE-2020-14954).
Mutt 1.14.3 was released on June 14, 2020. This is an important
bug-fix release. It fixes a possible IMAP fcc/postpone
machine-in-the-middle attack (CVE-2020-14093). It also fixes some
GnuTLS certificate prompt issues.
Mutt 1.14.2 was released on May 25, 2020. This is a bug-fix release,
fixing a few prompt buffer-size issues and adding a potential DoS
mitigation.
Mutt 1.14.1 was released on May 16, 2020. This is a bug-fix release,
fixing a documentation build issue and a few other small bugs.
Mutt 1.14.0 was released on May 2, 2020. This release has new
features and bug fixes. See the UPDATING file, or for more details
see the release notes page.
2020-06-19 Richard Russon <rich@flatcap.org>
* Security
- Abort GnuTLS certificate check if a cert in the chain is rejected
- TLS: clear data after a starttls acknowledgement
- Prevent possible IMAP MITM via PREAUTH response
* Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
* Contrib
- sample.neomuttrc-starter: Do not echo promted password
* Bug Fixes
- make "news://" and "nntp://" schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP searches
- Handle IMAP "NO" resps by issuing a msg instead of failing badly
- imap: use the connection delimiter if provided
- Memory leaks
* Changed Config
- `$alias_format` default changed to include `%c` comment
- `$query_format` default changed to include `%e` extra info
* Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
* Docs
- Add missing commands unbind, unmacro to man pages
* Build
- Check size of long using `LONG_MAX` instead of `__WORDSIZE`
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
* Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: `main_change_folder()`
- refactor: `mutt_mailbox_next()`
- refactor: `generate_body()`
- compress: add `{min,max}_level` to ComprOps
- emphasise empty loops: "// do nothing"
- prex: convert `is_from()` to use regex
- Refactor IMAP's search routines
2020-05-01 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
* Translations
- 100% Lithuanian
* Docs
- make header cache config more explicit
pkgsrc changes:
- Update MASTER_SITES and HOMEPAGE to current ones
Changes:
Version 1.4.10:
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
Version 1.4.9:
- No significant changes.
Version 1.4.8:
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Fixed the source_ip command for proxies.
Version 1.4.7:
- Minor bug fixes.
Version 1.4.6:
- Minor bug fixes.
Version 1.4.5:
- Fixed OAUTHBEARER.
- Support for TLS client certificates via PKCS11 devices, e.g. smart cards.
- Various small bug fixes and improvements.
Version 1.4.4:
- Added support for the OAUTHBEARER authentication method.
- Several minor bug fixes.
Version 1.4.3:
- This version fixes a security problem that affects version 1.4.2 (older
versions are not affected): when the new default value system for
tls_trust_file is used, the result of certificate verification was not
properly checked.
Version 1.4.2:
- To simplify TLS setup, the tls_trust_file command has a new default value
'system' that selects the system default trust. Now you just need tls=on to
use TLS; the other TLS options are only required in special cases.
To make this work without breaking compatibility with older mpop versions,
tls_fingerprint now overrides tls_trust_file, and tls_certcheck=off overrides
both (previously, you could not specify contradicting options).
- To simplify setup, a new option '--configure <mailaddress>' was added that
automatically generates a configuration file for a given mail address.
However, this only works if the mail domain publishes appropriate SRV records.
Version 1.4.1:
- Fixed our TLS code to support TLS 1.3 with GnuTLS.
Version 1.4.0:
- Using OpenSSL is discouraged and may not be supported in the future. Please
use GnuTLS instead. The reasons are explained here:
https://marlam.de/mpop/news/openssl-discouraged/
- As using GNU SASL is most likely unnecessary, it is disabled by default now.
Since everything uses TLS nowadays and thus can use PLAIN authentication, you
really only need it for GSSAPI.
- If your system requires a library for IDN support, libidn2 is now used instead
of the older libidn.
- The APOP and CRAM-MD5 authentication method are marked as obsolete / insecure
and will not be chosen automatically anymore.
- The passwordeval command does not require the password to be terminated by a
new line character anymore.
- Builtin default port numbers are now used instead of consulting /etc/services.
- Support for DJGPP and for systems lacking vasprintf(), mkstemp(), or tmpfile()
is removed.
Version 1.2.8:
- Fix support for ~/.config/mpop/config as configuration file
- Add --source-ip option and source_ip command to bind the outgoing connection
to a specific source IP address.
- Enable SNI for TLS
Version 1.2.7:
- Add support for ~/.config/mpop/config as configuration file
- Add network timeout handling on Windows
- Fix command line handling of SHA256 TLS fingerprints
- Update german translation
Discussed and ok with <reed>, thanks!
Update Ruby on Rails to 6.0.3.2.
www/ruby-actionpack60 is the really updated package and other packages
have no change except version.
CHANGELOG of www/ruby-actionpack60 is here:
## Rails 6.0.3.2 (June 17, 2020) ##
* [CVE-2020-8185] Only allow ActionableErrors if
show_detailed_exceptions is enabled
Update postfix and related pacakges to 3.5.3.
Quote freom release announce.
Postfix 3.5.3, 3.4.13:
* TLS handshake failure in the Postfix SMTP server during SNI
processing, after the server-side TLS engine sent a TLSv1.3
HelloRetryRequest (HRR) to a remote SMTP client. Reported by
J??n M??t??, fixed by Viktor Dukhovni.
Postfix versions 3.5.3, 3.4.13, 3.3.11, 3.2.16:
* The command "postfix tls deploy-server-cert" did not handle a
missing optional argument. This bug was introduced in Postfix
3.1.
Changelog:
Version 1.8.11:
- Add a new undisclosed_recipients command and --undisclosed-recipients option
to replace To, Cc, Bcc with a single "To: undisclosed-recipients:;" header.
- Improved handling of temporary files on Windows systems.
- Re-enabled support for systems lacking vasprintf(), such as IBM i PASE.
Update roundcube to 1.4.5, including some security fixes.
pkgsrc change:
* Proper replace PHP interpreter.
* Fix php-sockets option to work.
RELEASE 1.4.5
-------------
- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)
- Fix so the database setup description is compatible with MySQL 8 (#7340)
- Markasjunk: Fix regression in jsevent driver (#7361)
- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)
- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)
- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)
- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)
- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)
- Fix error when user-configured skin does not exist anymore (#7271)
- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)
- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)
- Security: Fix a couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Better fix for CVE-2020-12641
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
Note: the release strategy of Thunderbird has changed and there
will be no more non-extended-support releases, so mail/thunderbird
contains the most recent extended support release, derived from firefox68
Changelog:
Fixes
fixed Custom headers added for searching or filtering could not be removed
fixed Calendar: Today Pane updated prior to loading all data
fixed Stability improvements
fixed Various security fixes
Security fixes:
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
#CVE-2020-12405: Use-after-free in SharedWorkerService
#CVE-2020-12406: JavaScript Type confusion with NativeTypes
#CVE-2020-12410: Memory safety bugs fixed in Thunderbird 68.9.0
#CVE-2020-12398: Security downgrade with IMAP STARTTLS leads to information leakage
Exim version 4.94
-----------------
JH/01 Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
JH/05 Regard command-line receipients as tainted.
JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
JH/17 Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
JH/18 Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
are now specifically given a NO_DATA response without hitting the system
resolver. The library goes on to do the now-standard TXT lookup.
Use of dnsdb lookups is not affected.
JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once. Previously two calls to dlerror()
were used, and the second one (for mainlog/paniclog) retrieved null
information.
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
- the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
- named-queue names
- paths used by single-key lookups
Previously this was permitted.
JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
previous fast-mode was untenable in the face of glibs using mmap to
support larger malloc requests.
PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
New values supported, if defined on system where compiled:
allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
JH/23 Performance improvement in the initial phase of a two-pass queue run. By
running a limited number of proceses in parallel, a benefit is gained. The
amount varies with the platform hardware and load. The use of the option
queue_run_in_order means we cannot do this, as ordering becomes
indeterminate.
JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
had introduced a string-copy (for ensuring NUL-termination) which was not
appropriate for that case, which can include embedded NUL bytes in the
block of data. Investigation showed the copy to actually be needless, the
data being length-specified.
JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was
done during a receiving connection, and both used TLS, global info was
used rather than per-connection info for tracking the state of data
queued for transmission. This could result in a connection hang.
JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections.
Previously, when delivering serveral messages down a single connection
only the first would provide a SIZE. This was due to the size information
not being properly tracked.
JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as
TAI (at 37 seconds currently), pretend to be in UTC for time-related
expansion and logging. Previously, spurious values such as a future
minute could be seen.
JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations
it could crash from a null-deref. This could also affect the
${addresses: } operator and ${readsock } item.
JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime
message following a mime one, the variable was not reset.
JH/30 When an pipelined-connect fails at the first response, assume incorrect
cached capability (perhaps the peer reneged?) and immediately retry in
non-pipelined mode.
JH/31 Fix spurious detection of timeout while writing to transport filter.
JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously
an attempt to copy the string was made before checking it.
JH/33 Fix the dsearch lookup to return an untainted result. Previously the
taint of the lookup key was maintained; we now regard the presence in the
filesystem as sufficient validation.
JH/34 Fix the readsocket expansion to not segfault when an empty "options"
argument is supplied.
JH/35 The dsearch lookup now requires that the directory is an absolute path.
Previously this was not checked, and nonempty relative paths made an
access under Exim's current working directory.
JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case.
Previously no event was raised.
JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE
parameter supplied by the sender MAIL FROM command. Previously it was
ignored, and only the check_spool_space option value for the required
leeway checked.
JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present
the size of the signing public-key. Previously it was instead giving
the size of the signature hash.
JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
the default. See the (new) dkim_verify_min_keysizes option.
JH/40 Fix a memory-handling bug: when a connection carried multiple messages
and an ACL use a lookup for checking either the local_part or domain,
stale data could be accessed. Ensure that variable references are
dropped between messages.
JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
by the client was not checked as pointing within response data before
being used. A malicious client could thus cause an out-of-bounds read and
possibly gain authentication. Fix by adding the check.
JH/42 Internationalisation: change the default for downconversion in the smtp
transport to be "if needed". Previously it was "as previously set" for
the message, which usually meant "if needed" for message-submission but
"no" for everything else. However, MTAs have been seen using SMTPUTF8
even when the envelope addresses did not need it, resulting in forwarding
failures to non-supporting MTAs. A downconvert in such cases will be
a no-op on the addresses, merely dropping the use of SMTPUTF8 by the
transport. The change does mean that addresses needing conversion will
be converted when previously a delivery failure would occur.
JH/43 Fix possible long line in DSN. Previously when a very long SMTP error
response was received it would be used unchecked in a fail-DSN, violating
standards on line-length limits. Truncate if needed.
HS/01 Remove parameters of the link to www.open-spf.org. The linked form
doesn't work. (Additionally add a new main config option to configure the
spf_smtp_comment)
Changelog:
Fixes:
fixed IMAP stability improvements
fixed HTML tags in IRC topic changes were rendered incorrectly
fixed MailExtensions: Websockets could not be used
Add ruby-roadie-rails package version 2.1.1 based on wip/ruby-roadie-rails52.
roadie-rails
This gem hooks up your Rails application with Roadie to help you generate
HTML emails.
Add ruby-roadie package version 4.0.0 based on wip/ruby-roadie.
Roadie
Roadie tries to make sending HTML emails a little less painful by inlining
stylesheets and rewriting relative URLs for you inside your emails.
Update ruby-mime-types-data to 3.2020.05.12.
## 3.2020.05.12 / 2020-05-12
- Updated the IANA media registry entires as of release date.
- Added file extensions for HEIC image types. [#34][].
## Fix bugs
- Vulnerabilities we've inherited from qmail 1.03, reported by Qualys.
- CVE-2005-1515: fix signedness wraparound in `substdio_{put,bput}()`.
- CVE-2005-1514: fix possible signed integer overflow in `commands()`.
- CVE-2005-1513: fix integer overflow in `stralloc_readyplus()`.
- Fix several other places where variables could overflow.
- `qmail-pop3d`: instead of running as root if root authenticates (and
being a vector for a dictionary attack on the root password), exit 1
to look just like a failed `checkpassword` login.
- `qmail-inject`: do not parse header recipients if `-a` is given.
- Correctly detect multiple IP addresses on the same interface.
- Remove workaround for ancient DNS servers that do not properly
support CNAME.
- Fix possible integer overflow in `alloc()`.
## Reduce bug likelihood
- Remove `dnscname` and `dnsmxip` programs that were being built but not
installed.
- Remove `systype` and related platform detection.
- Remove unused variable in `maildir.c`.
- Reduce variable scope in `tcpto.c`.
- Avoid local variables shadowing same-named globals.
- Avoid needing `exit.h` in named-pipe bug check.
- Add a `test` target and some unit tests, using Check.
- Add missing function declarations in `cdbmss.h`, `scan.h`.
- Add missing return types to `main()`.
- Add `hier.h` for inclusion in `instcheck.c`, `instchown.c`, `instpackage.c`.
- Use system headers and types instead of the `HASSHORTSETGROUPS` check.
- Use system headers instead of redeclaring `exit()`, `read()`,
`write()`, `malloc()`, `free()`, `fork()`, `uint32_t`.
- Use C89 function signatures for code we've touched so far.
- Automated builds:
- TravisCI: move setting `MAKEFLAGS` out of the script and into
the matrix.
- Add FreeBSD builds with CirrusCI.
- Add a GitHub Actions build.
## Other changes
- Remove DJB's TODO.
- Replace many `pobox.com` URLs.
- Acknowledge Erik Sjölund's `qmail-local.c` bugfix that we've
inherited from netqmail.
- Avoid generating catted manpages by building with `NROFF=true`.
- Optionally create a `systemd` service file.
- Run an alternate `qmail-remote` by setting `QMAILREMOTE` in
`qmail-send`'s environment.
## Intent to remove
In the course of developing this release, we found programs that we
intend to remove in the next release. We believe none of these remains
necessary or useful enough to be worth the cost of maintaining. If you
disagree, please let us know!
- Remove `qsmhook`, long since replaced by `preline`.
- Remove inefficient `maildirwatch`.
- Remove obsolete mail client wrappers.
- Remove `qmail-pop3d`, since Maildir is well supported by actively
maintained POP3 servers.
Since do-configure-pre-hook already depends on replace-interpreter, there
is no point in making any other stage depend on that as well. At best,
it has no effect. At worst it creates a hard-to-find difference between
builds that run "bmake install" directly and builds that split the build
into "bmake configure && bmake build && bmake install", as bulk builds
do.
These packages are susceptible to bugs when confronted with non-ASCII
characters.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94182.
It takes some time to analyze and fix these individually, therefore they
are only marked as "needs work".
Changes:
- Bugfixes on QUOTA
- Various warning fixes & build fixes
- Added IMAP CLIENTID / SMTP CLIENTID support
- Use Cyrus SASL 2.1.27
- Support of TLS SNI
- LMDB for cache DB
- Fixed build with recent versions of curl
upstream changes:
-----------------
Postfix versions 3.5.2, 3.4.12, 3.2.10, 3.2.15:
* A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexander Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
* The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8.
* The Postfix build now disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation.
* Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call.
* Minor code changes to silence a compiler that special-cases string literals.
Postfix 3.5.2, 3.4.12:
* Segfault in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS.
* The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). Reported by Larry Stone.
Update dovecot2 to 2.3.10.1.
v2.3.10.1 2020-05-18 Aki Tuomi <aki.tuomi@open-xchange.com>
- CVE-2020-10957: lmtp/submission: A client can crash the server by
sending a NOOP command with an invalid string parameter. This occurs
particularly for a parameter that doesn't start with a double quote.
This applies to all SMTP services, including submission-login, which
makes it possible to crash the submission service without
authentication.
- CVE-2020-10958: lmtp/submission: Sending many invalid or unknown
commands can cause the server to access freed memory, which can lead
to a server crash. This happens when the server closes the connection
with a "421 Too many invalid commands" error. The bad command limit
depends on the service (lmtp or submission) and varies between 10 to
20 bad commands.
- CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
address that has the empty quoted string as local-part causes the lmtp
service to crash.
from GitHub user @sjorge + extra patch from me
Closes NetBSD/pkgsrc#60
2.5: 01 Apr 2020
* [Conf] Mark Rspamd emailbl as ignore whitelist
* [Conf] RBL: Add missing emails = true option
* [Feature] Add support for scripts in fuzzy storage
* [Feature] Arc: Add whitelisted_signers_map option
* [Feature] Implement hosts file processing
* [Feature] Neural: Introduce classes bias that allows non-equal classes learning
* [Feature] Update libev to 4.33
* [Fix] Another brain damage html standard adoptions
* [Fix] Another fix for brain damaged obs-fws state
* [Fix] Fix flags that caused force_actions failure
* [Fix] Fix logging issue
* [Fix] Fix lua symbols scores registration when config does not define scores
* [Fix] Fix opaque maps logic
* [Fix] Fix parsing of the html tags with no spaces after attributes
* [Fix] Fix some corner cases in urls parsing, add limits
* [Fix] Fix tlds extraction if custom composition rules are used
* [Fix] Fix variables replacement in mempool
* [Fix] Improve base64 detection
* [Fix] Normalize dynamic scores in ANN correctly
* [Fix] Plug memory leak introduced by #3153
* [Fix] Stat_redis_backend: Fix memory leak and simplify learn path
* [Fix] Try hard to deal with ghost workers
* [Fix] metadata_exporter default formatter
* [Rework] Change the way to extract URLs when dealing with alternative parts
* [Rework] Fix various url extraction issues
* [Rework] Re cache: Load compiled hyperscan in the main process as well
* [Rework] Re cache: Load hyperscan early
* [Rework] Rework URL structure: adjust tld part
* [Rework] Rework URL structure: host field
* [Rework] Rework URL structure: more structure optimisations
* [Rework] Rework URL structure: user field
* [Rework] URL: Another update for urls extraction logic
* [Rework] Urls: Improve query urls handling
* [Rework] Urls: adopt html related stuff
* [Rework] Urls: more rework of the urls sets
* [Rework] Urls: process query urls in HTML urls correctly
* [Rework] Urls: rework urls hash structure
* [Rework] Urls: update lua libraries
* [Rework] Use multiple search tries for different url extraction types
2.4: 26 Feb 2020
* [CritFix] Fix parsing of the content type attributes
* [Feature] Clickhouse: Add extra columns support
* [Feature] Rbl: Add url_compose_map option for RBL rules
* [Fix] 'R' flag is for all headers regexp
* [Fix] Allow to reset settings id from Lua (e.g. because of the priority)
* [Fix] Avoid collisions in mempool variables by changing fuzzy caching logic
* [Fix] Avoid strdup usage for symbols options
* [Fix] Do not trust stat(2) it lies
* [Fix] Filter all options for symbols to have sane characters
* [Fix] Fix all headers iteration
* [Fix] Fix allowed_settings for neural
* [Fix] Fix listen socket parsing
* [Fix] Fix maps expressions evaluation
* [Fix] Fix sentinel connections leak by using async connections
* [Fix] Fix smtp message on passthrough result
* [Fix] Fix tld compositon rules
* [Fix] Fuzzy_storage: Do not check for shingles if a direct hash has been found
* [Fix] Lua_mime: Do not perform QP encoding for 7bit parts
* [Fix] Neural: Distinguish missing symbols from symbols with low scores
* [Fix] Support listening on systemd sockets by name
* [Project] Add lua_urls_compose library
* [Project] Allow to set a custom log function to the logger
* [Project] CDB maps: Start making cdb a first class citizen
* [Project] Clickhouse: Add extra columns concept
* [Project] Fix urls composition rules, add unit tests
* [Project] Unify cdb maps
* [Rework] Logger infrastructure rework
* [Rework] Refactor libraries structure
* [Rework] Rework SSL caching
* [Rework] Update snowball stemmer to 2.0 and remove all crap aside of UTF8
Without this escaping, mk/subst.mk sees that there are no actual changes
with the default setup. Nevertheless, mk/scripts/subst-identity.awk does
not classify the sed command as an identity transformation because there
_might_ be the text /etc/policyd-weightXconf, and the X would match the
dot. Therefore, subst.mk aborts the build when it is in SUBST_NOOP_OK=no
mode.
Update ruby-actionmailbox60 to 6.0.3.
## Rails 6.0.3 (May 06, 2020) ##
* Update Mandrill inbound email route to respond appropriately to HEAD requests for URL health checks from Mandrill.
*Bill Cromie*
Additions include:
* Support for XOAUTH2 authentication method in Gmail.
* PC-Alpine builds with LibreSSL and supports S/MIME.
* NTLM authentication support with the ntlm library, in Unix systems. Based
on code provided by Maciej W. Rozycki.
* Add /tls1_3 flag for servers that support it. Read more information in the
secure protocols help.
* To increase user's privacy, remove phone-home code that would prompt users
to send an email message upon starting Alpine for the first time for
purposes of counting. Your use of Alpine does not disclose information
about you or your use of Alpine to the developers of Alpine.
* New variable encryption-protocol-range that allows users to configure
versions of the SSL/TLS protocol that Alpine is restricted to try when
establishing a secure connection SSL/TLS to a remote server. The default
can be set at compilation time.
* Add -dict option to PC-Pico, which allows users to choose a dictionary when
spelling. Sample usage: -dict "en_US, de_DE, fr_FR".
* Improvements to the configure stage of compilation. Some of these
contributed by Helmut Grohne. See Bug 876164 in Debian.
* Add "remove password" command to the management screen for the password
file encryption key. This allows users to use their password file without
entering a master password.
* Add the "g" option to the select command that works in IMAP servers that
implement the X-GM-EXT-1 capability (such as the one offered by Gmail.)
This allows users to do selection in Alpine as if they were doing a search
in the web interface for Gmail.
* New variable close-connection-timeout, which tells Alpine to close a
connection that is having problems being kept alive after the number of
seconds configured in this variable, if the connection has not recovered.
The default is 0, which means to keep the connection alive and wait for the
connection to recover.
* When a message is of type multipart/mixed, and its first part is multipart/
signed, Alpine will include the text of the original message in a reply
message, instead of including a multipart attachment. Suggested by Barry
Landy.
* S/MIME: Some clients do not transform messages to canonical form when
signing first and encrypting second, which makes Alpine fail to parse the
signed data after encryption. Reported by Holger Trapp.
* Add /auth=XYZ to the way to define a server. This allows users to select
the method to authenticate to an IMAP, SMTP or POP3 server. Examples are /
auth=plain, or /auth=gssapi, etc.
* Add backward search in the index screen. Based on patch by Astyanax Foo,
submitted in 2009, but resubmitted by Erich Eckner on 2019.
* SMIME: When Alpine is set to validate a message using the user's store, and
user agrees to save a certificate of another user, use the saved
certificate immediately to verify the smime message. Reported by Stefan
Mueller.
* Do not use a delay when printing messages to screen when the initial
keystroke sequence of commands is active. Based on a report from Holger
Trapp.
* In PC-Alpine, when the decoded name of an attachment does not agree with
its encoded name, Alpine will offer to save the file using the UTF8 encoded
name.
Bugs that have been addressed include:
* Width of characters is not always determined correctly when wcwidth is
used. Revert to using code for the Windows operating system. Reported by
Andrew Ho.
* The call realpath(..., NULL) gives an error in Solaris, which means that we
need to allocate memory for storing the resolved path. Reported by Fabian
Schmidt.
* Crash when attempting to bounce a message due to lack of space in allocated
space for key menu array. Reported by David Sewell.
* Crash when a CA certificate failed to load, and user attempted to view
certificate information of other certificate authorities.
* Crash in the S/MIME configuration screen when a user turned off S/MIME, and
then re-enabled it. Also crash when attempting to enter the S/MIME
configuration screen if S/MIME was turned off.
* Deactivate some color code from Pico (as standalone editor in the windows
version) until I find a way to activate it again. This is not critical and
it is not something that PC-Pico must have (some of it already exists in
other ways, like color support, what does not exist is the more complex
code that Unix-Pico has with color codes for specific colors.)
* When a message is multipart, and the first part is flowed text, then
forwarding the message will set the first part to be flowed, and sent that
way even when the option Do Not Send Flowed Text is enabled. Reported by
Holger Trapp.
* When a message/rfc822 part of a message is encoded with
Content-Transfer-Encoding: QUOTED-PRINTABLE, Alpine will stop processing
that message. Later this causes Alpine to crash because when it displays
messages, it assumes that both header and body parts are processed.
Reported by Mark Crispin in 2010, in the Alpine-info list (message with
subject "crash bug in alpine/mailpart.c:format_msg_att()") with no example,
and reported now by Holger Trapp, with an example.
* In addition to the previous report, Alpine encodes message/rfc822 messages
as QUOTED-PRINTABLE, in contradiction with RFC 2045, when it receives a
report that its encoding is 8bit. We preserve the encoding reported by the
IMAP server, and do not encode in QUOTED-PRINTABLE.
* Update build.bat file to add /DWINVER=0x0501 so that Alpine can build when
using Visual Studio 2017. Fix contributed by Ulf-Dietrich Braunmann.
* When the locale is not set up to UTF-8, alpine might determine the width of
a character incorrectly. Reported by Alexandre Fedotov.
* In some rare cases, when attachments are deleted before saving emails, the
filenames will be displayed in RFC1522 representation, instead of in
decoded form. Reported and patched by Wang Kang.
* When colors are edited from the main setup configuration screen, some color
settings are not updated until Alpine is restarted. Reported by Andrew
Hill.
* If the first part of a message is multipart/alternative, and the first part
of this is also a multipart type, then Alpine might fail to select the
first text part when replying to a message. Reported by Lucio Chiappetti.
* TLS 1.2 works does not work if Alpine is compiled with openssl >= 1.1.0.
Reported and patched by Kyle George.
* If the directory where Alpine saves the certificates is empty, alpine would
not create a self-signed certificate to encrypt the password file.
* S/MIME: The list of public certificates is freed before it is reused when a
signature fails to verify. This causes Alpine to crash. Patch submitted by
Linus Torvalds.
* S/MIME: A message could fail to verify its signature even if the
certificate was saved when the message was open. Based on a report by David
Woodhouse to the RedHat bugzilla system.
* When there are time changes in the clock, Alpine might go to sleep for big
amounts of time while displaying messages in the screen. Reset sleep time
to 5 seconds in case it finds it needs to sleep more than 5 seconds or a
negative amount of time.
* Restore recognition of empty directories. It was deleted by mistake when
added support for internationalization in folders. Based on a report by
Michael Rutter.
* Alpine stops parsing the mailcap file when it finds an invalid entry.
Reported by Matt Roberds to the Debian bug system at https://
bugs.debian.org/cgi-bin/bugreport.cgi?bug=886370.
* Crash with error "Lock when already locked" when an attempt to check for
new mail on a locked stream that is being used for a save operation.
Reported by Carlos E.R.
* Alpine removes trailing spaces from passwords, making a longin attempt
fail. Reported by R. Lyons.
* Alpine crashes when opening a remote imap folder and computing scores.
Reported by Paul DeStefano.
* When more than one server was given in the server-name configuration option
of rldap servers, none of them worked. Reported by Robert Wolf.
From jcea via pkgsrc-wip
2.1.33 (07-May-2020)
Security
- A content injection vulnerability via the private login page has been
fixed. (LP: #1877379)
2.1.32 (05-May-2020)
i18n
Fixed a typo in the Spanish translation and uptated mailman.pot and
the message catalog for 2.1.31 security fix.
2.1.31 (05-May-2020)
Security
- A content injection vulnerability via the options login page has been
discovered and reported by Vishal Singh. This is fixed. (LP: #1873722)
i18n
- The Spanish translation has been updated by Omar Walid Llorente.
Bug Fixes and other patches
- Bounce recognition for a non-compliant Yahoo format is added.
- Archiving workaround for non-ascii in string.lowercase in some Python
packages is added.
2.1.30 (13-Apr-2020)
New Features
- Thanks to Jim Popovitch, there is now a dmarc_moderation_addresses
list setting that can be used to apply dmarc_moderation_action to mail
From: addresses listed or matching listed regexps. This can be used
to modify mail to addresses that don't accept external mail From:
themselves.
- There is a new MAX_LISTNAME_LENGTH setting. The fix for LP: #1780874
obtains a list of the names of all the all the lists in the installation
in order to determine the maximum length of a legitimate list name. It
does this on every web access and on sites with a very large number of
lists, this can have performance implications. See the description in
Defaults.py for more information.
- Thanks to Ralf Jung there is now the ability to add text based captchas
(aka textchas) to the listinfo subscribe form. See the documentation
for the new CAPTCHA setting in Defaults.py for how to enable this. Also
note that if you have custom listinfo.html templates, you will have to
add a <mm-captcha-ui> tag to those templates to make this work. This
feature can be used in combination with or instead of the Google
reCAPTCHA feature added in 2.1.26.
- Thanks to Ralf Hildebrandt the web admin Membership Management section
now has a feature to sync the list's membership with a list of email
addresses as with the bin/sync_members command.
- There is a new drop_cc list attribute set from DEFAULT_DROP_CC. This
controls the dropping of addresses from the Cc: header in delivered
messages by the duplicate avoidance process. (LP: #1845751)
- There is a new REFUSE_SECOND_PENDING mm_cfg.py setting that will cause
a second request to subscribe to a list when there is already a pending
confirmation for that user. This can be set to Yes to prevent
mailbombing of a third party by repeatedly posting the subscribe form.
(LP: #1859104)
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- The German translation has been updated by Ludwig Reiter.
- The Spanish translation has been updated by Omar Walid Llorente.
- The Brazilian Portugese translation has been updated by Emerson de Mello.
Bug Fixes and other patches
- Fixed the confirm CGI to catch a rare TypeError on simultaneous
confirmations of the same token. (LP: #1785854)
- Scrubbed application/octet-stream MIME parts will now be given a
.bin extension instead of .obj.
- Added bounce recognition for a non-compliant opensmtpd DSN with
Action: error. (LP: #1805137)
- Corrected and augmented some security log messages. (LP: #1810098)
- Implemented use of QRUNNER_SLEEP_TIME for bin/qrunner --runner=All.
(LP: #1818205)
- Leading/trailing spaces in provided email addresses for login to private
archives and the user options page are now ignored. (LP: #1818872)
- Fixed the spelling of the --no-restart option for mailmanctl.
- Fixed an issue where certain combinations of charset and invalid
characters in a list's description could produce a List-ID header
without angle brackets. (LP: #1831321)
- With the Postfix MTA and virtual domains, mappings for the site list
-bounces and -request addresses in each virtual domain are now added
to data/virtual-mailman (-owner was done in 2.1.24). (LP: #1831777)
- The paths.py module now extends sys.path with the result of
site.getsitepackages() if available. (LP: #1838866)
- A bug causing a UnicodeDecodeError in preparing to send the confirmation
request message to a new subscriber has been fixed. (LP: #1851442)
- The SimpleMatch heuristic bounce recognizer has been improved to not
return most invalid email addresses. (LP: #1859011)
Thunderbird is no longer Mozilla-branded. It no longer uses gtk2.
Future versions of Thunderbird will not have ESR releases because
every Thunderbird release is now an ESR release.
Changelog:
Fixes
Account Manager: text fields were too small in some cases
Account Manager: Authentication method did not update when selecting an SMTP server
Links with embedded credentials did not open on Windows
Messages were sometimes sent with a badly formed address when filled from the address book
Accessibility: Screen readers were reporting too many activities from the status bar
MailExtensions: Setting IMAP messages as read with browser.messages.updated failed to persist
Various security fixes
Security fixes:
#CVE-2020-12397: Sender Email Address Spoofing using encoded Unicode characters
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Thunderbird 68.8.0
The package-specific options.mk is included by djbware.mk and must
therefore not be included by the package Makefile itself. This fixes the
PKG_SUPPORTED_OPTIONS displayed by show-options.
Found by making the package-settable variables in mk/bsd.options.mk
read-only.
Changes:
1.8.10
------
- The msmtpq script was fixed (it was accidently broken in 1.8.8)
[that was partially fixed in 1.8.9, that was omitted in the release notes]
- Updated translations.
- New serbian translation is included.
1.8.8
-----
- Added a new socket command and --socket option to connect via local sockets.
- Added a new tls_host_override command and --tls-host-override option to
override the host name used for TLS verification.
- Added a new set_from_header command and --set-from-header option with three
settings:
- on: always set a From header, possibly replacing an existing one
- off: never set a From header
- auto: add a From header if there is none (this is the default).
This replaces the add_missing_from_header option (which remains supported).
- Added a new set_date_header command and --set-date-header option with two
settings:
- off: never set a Date header
- auto: add a Date header if there is none (this is the default).
This replaces the add_missing_date_header option (which remains supported).
- Fixed the handling of empty From headers with --read-recipients/-t.
- Fixed the source_ip command for proxies.
Update roundcube, roundcube-plugin-enigma and roundcube-plugin-zipdownload to
1.4.4. This includes security fixes..
RELEASE 1.4.4
-------------
- Fix bug where attachments with Content-Id were attached to the message on reply (#7122)
- Fix identity selection on reply when both sender and recipient addresses are included in identities (#7211)
- Elastic: Fix text selection with Shift+PageUp and Shift+PageDown in plain text editor when using Chrome (#7230)
- Elastic: Fix recipient input bug when using click to select a contact from autocomplete list (#7231)
- Elastic: Fix color of a folder with recent messages (#7281)
- Elastic: Restrict logo size in print view (#7275)
- Fix invalid Content-Type for messages with only html part and inline images - Mail_Mime-1.10.7 (#7261)
- Fix missing contact display name in QR Code data (#7257)
- Fix so button label in Select image/media dialogs is "Close" not "Cancel" (#7246)
- Fix regression in testing database schema on MSSQL (#7227)
- Fix cursor position after inserting a group to a recipient input using autocompletion (#7267)
- Fix string literals handling in IMAP STATUS (and various other) responses (#7290)
- Fix bug where multiple images in a message were replaced by the first one on forward/reply/edit (#7293)
- Fix handling keyservers configured with protocol prefix (#7295)
- Markasjunk: Fix marking as spam/ham on moving messages with Move menu (#7189)
- Markasjunk: Fix bug where moving to Junk was failing on messages selected with Select > All (#7206)
- Fix so imap error message is displayed to the user on folder create/update (#7245)
- Fix bug where a special folder couldn't be created if a special-use flag is not supported (#7147)
- Mailvelope: Fix bug where recipients with name were not handled properly in mail compose (#7312)
- Fix characters encoding in group rename input after group creation/rename (#7330)
- Fix bug where some message/rfc822 parts could not be attached on forward (#7323)
- Make install-jsdeps.sh script working without the 'file' program installed (#7325)
- Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331)
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option
- Security: Fix CSRF bypass that could be used to log out an authenticated user (#7302)
RELEASE 1.4.3
-------------
- Enigma: Fix so key list selection is reset when opening key creation form (#7154)
- Enigma: Fix so using list checkbox selection does not load the key preview frame
- Enigma: Fix generation of key pairs for identities with IDN domains (#7181)
- Enigma: Display IDN domains of key users and identities in UTF8
- Enigma: Fix bug where "Send unencrypted" button didn't work in Elastic skin (#7205)
- Managesieve: Fix bug where it wasn't possible to save flag actions (#7188)
- Markasjunk: Fix bug where marking as spam/ham didn't work on moving messages with drag-and-drop (#7137)
- Elastic: Fix disappearing sidebar in mail compose after clicking Mail button
- Elastic: Fix incorrect aria-disabled attribute on Mail taskmenu button in mail compose
- Elastic: Fix bug where it was possible to switch editor mode when 'htmleditor' was in 'dont_override' (#7143)
- Elastic: Fix text selection in recipient inputs (#7129)
- Elastic: Fix missing Close button in "more recipients" dialog
- Elastic: Fix non-working folder subscription checkbox for newly added folders (#7174)
- Fix regression where "Open in new window" action didn't work (#7155)
- Fix PHP Warning: array_filter() expects parameter 1 to be array, null given in subscriptions_option plugin (#7165)
- Fix unexpected error message when mail refresh involves folder auto-unsubscribe (#6923)
- Fix recipient duplicates in print-view when the recipient list has been expanded (#7169)
- Fix bug where files in skins/ directory were listed on skins list (#7180)
- Fix bug where message parts with no Content-Disposition header and no name were not listed on attachments list (#7117)
- Fix display issues with mail subject that contains line-breaks (#7191)
- Fix invalid Content-Transfer-Encoding on multipart messages - Mail_Mime fix (#7170)
- Fix regression where using an absolute path to SQLite database file on Windows didn't work (#7196)
- Fix using unix:///path/to/socket.file in memcached driver (#7210)
Update ruby-mime-types-data to 3.2020.0425.
3.2020.04.25 / 2020-04-25
* Updated the IANA media registry entires as of release date.
* Added several RAW image types based on data from GNOME RAW
Thumbnailer. #33 fixing #32.
* Added audio/wav. #31.
* Added a type for Smarttech notebook files. #30.
* Added an alias for audio/m4a files. #29.
* Added application/x-ms-dos-executable. #28.
2020-04-24 Richard Russon <rich@flatcap.org>
* Bug Fixes
-Fix history corruption
-Handle pretty much anything in a URL query part
-Correctly parse escaped characters in header phrases
-Fix crash reading received header
-Fix sidebar indentation
-Avoid crashing on failure to parse an IMAP mailbox
-Maildir: handle deleted emails correctly
-Ensure OP_NULL is always first
* Translations
-100% Czech
* Build
-cirrus: enable pcre2, make pkgconf a special case
-Fix finding pcre2 w/o pkgconf
-build: tdb.h needs size_t, bring it in with stddef.h
Update postfix to 3.5.1.
3.5.0 (2020-03-16)
Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.
The main changes are below. See the RELEASE_NOTES file for further details.
* Support for the haproxy v2 protocol. The Postfix implementation
supports TCP over IPv4 and IPv6, as well as non-proxied
connections; the latter are typically used for heartbeat tests.
* Support to force-expire email messages. This introduces new
postsuper(1) command-line options to request expiration, and
additional information in mailq(1) or postqueue(1) output.
* The Postfix SMTP and LMTP client support a list of nexthop
destinations separated by comma or whitespace. These destinations
will be tried in the specified order. Examples:
/etc/postfix/main.cf:
relayhost = foo.example, bar.example
default_transport = smtp:foo.example, bar.example
Incompatible changes:
* Logging: Postfix daemon processes now log the from= and to=
addresses in external (quoted) form in non-debug logging (info,
warning, etc.). This means that when an address localpart
contains spaces or other special characters, the localpart will
be quoted, for example:
from=<"name with spaces"@example.com>
Specify "info_log_address_format = internal" for backwards compatibility.
* Postfix now normalizes IP addresses received with XCLIENT,
XFORWARD, or with the HaProxy protocol, for consistency with
direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match
subnets of an IPv6 address.
3.5.1 (2020-04-20)
Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:
* Bitrot workaround for broken builds after an incompatible change
in GCC 10.
* Bitrot workaround for broken DANE/DNSSEC support after an
incompatible change in GLIBC 2.31. This change avoids the need
for new options in /etc/resolv.conf.
Fix roundcube-plugin-password.
* Patch for roundcube-plugin-password had not been applied accidently.
* More changes were required to make it work on *BSD system.
Bump PKGREVISION.
By default, pkgsrc uses 'mv -f' as MV_COMMAND. exicyclog is not resilient
to this, and breaks as a result. This patch quotes the command names
that are substituted into this script.
Changelog:
What's New
new MailExtensions: Raw message source available to MailExtensions
Changes
changed MailExtensions: messages.update function extended to mark messages as junk or not junk
changed MailExtensions: browser.compose.begin functions no longer expand mailing lists
Fixes
fixed Various improvements to account setup when connecting to an Exchange server
fixed Thread collapsed when opening news message in a new window
fixed Addons not automatically updated to compatible version after upgrade from Thunderbird 60
fixed Updating addons did not prompt when requesting new permissions
fixed Extra recipients panel not keyboard-accessible
fixed Accessibility: Status bar was not detected by screenreaders
fixed MailExtensions: messages.query by folder name did not require accountsRead permission
fixed Calendar: Invitations with embedded null bytes did not always decode correctly
fixed Calendar: Cancelled events didn't show with a line-through
fixed Various security fixes
Security fixes:
#CVE-2020-6819: Use-after-free while running the nsDocShell destructor
#CVE-2020-6820: Use-after-free when handling a ReadableStream
#CVE-2020-6821: Uninitialized memory could be read when using the WebGL copyTexSubImage method
#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large images
#CVE-2020-6825: Memory safety bugs fixed in Thunderbird 68.7.0
Add missing curly brackets that caused res_ninit() to be called
with non-zeroed state structure. In NetBSD, res_ninit() detects
the mistake and quickly calls res_ndestroy(), which will close file
descriptors based on the random data provided in the state structure.
The result at mine is sendmail going mute after the MAIL FROM
command.
