Add conflict with mail/pine, beside editors/pico.
It make sense to default to alpine now to provide both pico(1) and
pilot(1) since the original pine is unmaintained.
fix it by rewriting the filename with ascii characters, using code which
was present upstream at some point.
See patches/patch-modules_lib_Mail_MIMEDefang_MIME.pm for details.
Bump PKGREVISION
* add is_public_ip6_address to check if an ipv6 address
is local
* add md_authres method to generate a basic Authentication-Results
header for the message
* add md_arc_sign method to sign email messages
with DKIM ARC signatures
* add md_dkim_verify method to verify DKIM signatures
* add md_dkim_sign method to sign email messages
with DKIM signatures
* add anonymize_uri to remove utm_* parameters
from uris.
* split mimedefang.pl code in Perl modules
* add re_match_in_7zip_directory to check for files
inside 7zip archives
* fallback to plaintext when md_check_against_smtp_server
fails SSL connection for unknown reasons
* add experimental support to scan emails with Rspamd antispam
* Obtain the Queue-ID as early as possible in the SMTP
session. Requires the "-y" command-line option to mimedefang.
* mimedefang.pl: Add support for a configuration file
to separate data from code
* mimedefang.pl: Add support to scan messages for viruses on a remote
Clamav server using clamdscan client.
* mimedefang.pl: Add re_match_in_rar_directory function to match
unwanted file names extensions inside a rar archive file.
* mimedefang.pl: Added TLS support to md_check_against_smtp_server
* mimedefang-multiplexor: Make "workerinfo nnn" show how long ago
the last state change was for a given worker.
* mimedefang.pl: Do not add a Message-ID: header when handing a
message to SpamAssassin if the original message lacks such a
header.
* Add a new -V maxLifetime option to mimedefang-multiplexor that
terminates worker processes after maxLifetime seconds (approximately).
This is in addition to the -r maxRequests option.
* Log the lifetime and number of requests processed when we terminate
a worker process.
* Make mimedefang and mimedefang-multiplexor write their PID files
as root to avoid an unprivileged user tampering with the pidfiles.
Thanks to Michael Orlitzky for pointing this issue out.
* mimedefang.pl: Add an extra level of subdirectories in the quarantine
to avoid 32K subdirectory limit on ext3. Idea by Kevin McGrail.
* Add the --data-dump option to scripts/mimedefang-util
And various bug fixes and minor improvements.
pkgsrc changes: make the rc.d script use the new -o option and move the pid
files to $VARBASE/run/, keeping the lock and socket files in
$VARBASE/spool/MIMEdefang/
* Add kerberos and pam build options (enabled by default).
* Add inet6 and pthread build options (enabled by default if supported).
* Remove tcl support from options.mk until an install target for web alpine
files isn't implemented.
* Pull upstream patch providing additional compose subcommands.
* Bump revision.
## CHANGES (local)
* HOMEPAGE and MASTER_SITES updated.
* Pull additional upstream patches.
* Replace hard-coded paths.
* Fix default user mailbox location.
* Support rxvt builtin keycodes.
* Add patch for mail providers enforcing SNI (from OpenBSD).
* New build options: aspell, ldap, tcl (all disabled by default).
* The package now also installs:
- alpine's version of the pico editor.
- alpine's pilot file browser.
- the rpdump/rpload utilities to query remote alpine configurations.
- manpages for the programs mentioned above.
- documentation and other files useful for reference.
- a sample system-wide configuration file.
## CHANGES (upstream)
* Unix version of Alpine (not including OSX). Alpine is built with
password file support by default. If Alpine is built with SMIME
support and the password file does not exist, then Alpine will
create it by default and encrypt it.
* In the past Alpine did not recognize images embedded in an HTML
file, so now it does and a link to open them is given. Additionally,
Alpine did not pass these images to an external browser for display
using the external command, and now it will.
* Support for code_verifier and code_challenge when generating a
refresh token and access token in Gmail and Outlook using the S256
method and plain method.
* Change the redirect_uri scheme for Gmail, as Google is deprecating
the use of oob. Changed to http://localhost. Users are supposed to
enter the URL they see in their browser in place of the code.
* Some servers do not allow the Drafts folder to be removed, even when
it is empty. Alpine, however, assumes that if the folder exists, it
must contain a draft message. This joint collaboration with Thomas
Uhle modifies alpine to not to attempt to continue a draft message
if the draft folder is empty.
* Contributions by Thomas Uhle:
- Add support to the LDAP attribute
"userCertificate";
- Move voiceMailTelephoneNumber from the TCL side
to ldap_translate;
- XOAUTH2 state generator changes format specifier
from %x to %02x;
- Web Alpine will not attempt to continue a postponed
message if the postponed-msgs folder is empty.
* Improvements to the screen that allows a user to select the
client-id when a user attempts to login to a server and more than
one client-id is available for that server. In this case additional
information is given: The method to use (device or authorize), a
user id that uses the suggested client-id or a report that the
client-id has not been used.
* To protect the privacy of a user, the message-id of a message will
be generated using the domain in the From field of the message.
* When saving to a folder in the unix format, Alpine parses the
destination folder to assign uids to all messages in the folder.
When the destination folder is large this could significantly slow
down alpine. Fix based on a patch submitted to the alpine-info list
by Chris Caputo.
* Add the LOGOUT command to the list of commands that can be
automatically interrupted in case the connection becomes unstable
during that command and Alpine times out its connection to the
server.
* If new mail has arrived when a user is closing a mailbox, Alpine
will also announce how many new messages have arrived. Suggested by
Chime Hart.
* When an invitation does not have a timezone in the date of the
event, but the date is in GMT, adjust the date to local time.
Bugs that have been addressed include:
* Crash when invoking Alpine from the command line and an attempt to
authorize alpine to use XOAUTH2 is done. Alpine crashes because of a
missing optional parameter -xoauth2-flow and because no screen has
been configured yet. Reported by Baron Fujimoto.
* Alpine crashes when it cannot retrieve the privacy policy due to
failure connecting to the external server.
* Alpine might delete all passwords from the password file if the
password file is not unlocked by cancellation, or the authentication
for an XOAUTH2 server is cancelled, or the password of an account is
changed.
* When the personal name of an address is encoded, and the personal
name is surrounded by quotes, these are not removed by Alpine at the
time to offer to take an address from a message to the addressbook.
Reported by David Prager Branner.
* If a user configures the sendmail-path variable, and does not use a
global smtp-server, then Alpine will use the sendmail-path even when
the user configured a smtp-server for a role. Reported by Gregory
Heytings.
* Crash in PC-Alpine when creating a mail collection and no username
is indicated in the server path. Reported by Sandy Schuman.
* Crash in Alpine when running a filter that moves deleted messages
the INBOX in a Gmail account. Reported by Jyrki Voutilainen.
* implement --nocache option
* new plugin: ikiwiki toot
* fix incorrect string stripping in README (Closes: GL#29)
* cleanups:
* add support for Python 3.10, no change
* remove the test compatibility shim from setup.py
* silence warnings from lxml missing type hints
* more uniform variable naming (underscores)
3.2023.0218 (2023-02-18)
* Updated the Apache and IANA media registry entries as of release date.
* Mohammed Gad added the jfif file extension for image/jpeg text format. #52
* Reworked the loading of IANA provisional media registries to merge them
into the top-level media-type registries instead of a standalone registry
file. #53 originally identified by Chris Salzberg in #50.
* It is worth noting that this is an imperfect solution as if a media type
is provisionally registered and withdrawn, it will linger in the registry
with no clean way of identifying them at the moment. See #54.
* This release also fixes ruby-mime-types#163, where logs show "Type
application/netcdf is already registered as a variant of
application/netcdf".
3.2023.0218.1 (2023-02-18)
* When this data library was created in 2015, I made the decision based on
information available to deprecate text/javascript in favour of
application/javascript. Since the previous update (2022-01-05), IANA has
officially deprecated application/javascript in favour of text/javascript.
Samuel Williams discovered this in #55 by noting that all js types were
marked obsolete in version 3.2023.0218.
* A hotfix has been applied to resolve this. However, note that
application/javascript will not be returned by default, only
text/javascript.
Pkgsrc changes:
* Checksum changes.
* Minor adjustment to patches.
Upstream changes:
102.8.0:
New:
- Added option to build RNP library with OpenSSL backend (use
"--with-librnp-backend=openssl" configure option)
Changes:
- Thunderbird now warns user that OpenPGP is disabled if RNP
library is outdated or missing
Fixes:
- "Get Messages" did not retrieve messages from Gmail accounts
using a local folder as a deferred inbox
- Various visual and UX improvements
Security fixes:
CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25729: Extensions could have opened external schemes withotu user knowledge
CVE-2023-25732: Out of bounds memory write from EncodeInputStream
CVE-2023-25734: Opening local.url files could cause unexpected network loads
CVE-2023-25742: Web Crypto ImportKey crashes tab
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
102.7.2:
Fixes:
- Various crash fixes
102.7.1:
Fixes:
- Microsoft Office 365 accounts were unable to authenticate
- Switching identities caused remote images in HTML signatures to
not be shown
- Thunderbird failed to import vCards that contained "\r\r\n" line endings
- Contribution button for add-ons opened Contribution page in a
Thunderbird tab, instead of the external browser
- XMPP did not respond to unrecognized IQ queries, causing some
servers to close the connection
- Window titlebar buttons (minimize/maximize/close) were not
displayed in Windows 10 "Dark" color mode
Security fixes:
CVE-2023-0430: Revocations tatus of S/Mime signature certificates was not checked
102.7.0:
New:
- Enterprise policies now support Thunderbird-specific preferences.
Fixes:
- Localized builds and langpacks now use "comm-l10n" repository;
downstream builds using official langpacks should not need to make
changes
- Having too many folders open at startup caused loss of MSF files
- Copying an email from one local folder to another local folder
sometimes caused "Another Operation is using the folder" error on
Windows 7
- Email address pill allowed for incorrectly formatted email addresses
- Creating security exceptions for messages sent using a self-signed
certificate failed if hostname contained uppercase letters
- S/MIME certificate verification was prohibitively slow
- OpenPGP key import failed for key blocks with comments that
contain Unicode characters
- Chat conversation sidebar was too wide under certain circumstances,
making scrollbar unusable
- On Mac, deleting events from Today Pane with "Backspace" key
deleted selected messages instead
Security fixes:
CVE-2022-46871: libusrsctp library out of date
CVE-2023-23598: Arbitrary file read from GTK drag and drop on Linux
CVE-2023-23599: Malicious command could be hidden in devtools output on Windows
CVE-2023-23601: URL being dragged from cross-origin iframe into same tab triggers navigation
CVE-2023-23602: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers
CVE-2022-46877: Fullscreen notification bypass
CVE-2023-23603: Calls to console.log allowed bypassing Content Security Policy via format directive
CVE-2023-23605: Memory safety bugs fixed in Thunderbird 102.7
Known issues:
- OAuth2 authentication not working for Microsoft 365 Enterprise
accounts. See the Blog post
(https://blog.thunderbird.net/2023/01/important-message-for-microsoft-office-365-enterprise-users/)
for additional information. Bug 1810760
6.9 (2023-02-10)
Differences between Mew 6.9 and Mew 6.8
* Mew now supports Emacs 26.1 or later only.
* Supporting coming Emacs 29.
* Supporting "stunnel" 5.15.
* Supporting native compilation.
* `mew-smtp-port` now supports Unix domain socket. If it is set to an
absolute pathname such as "/var/run/msp.sock", Mew will use it as a
Unix domain socket which supports SOCK_STREAM and understands SMTP.
The value of `mew-smtp-server` will be ignored. This feature requires
`make-network-process` introduced since Emacs 22.
* Some bug fixes.
This version does not build with newer versions of rust,
probably because rust has moved too far and this version
is too old. This is therefore a precursor to to upgrading
the thunderbird package proper to a newer version.
1.6.1 (2022-01-23)
* Kill session if refreshing oauth token fails (#8734)
* Fix various PHP 8.1 warnings (#8628, #8644, #8667, #8656, #8647)
* Password: Remove references to %c variable that has been removed before
(#8633)
* Fix anchor links in HTML mail (#8632)
* Fix bug where config creation in Installer did ignore options in the form
(#8634)
* Fix bug where renamed options were removed from the config on installto.sh
(update.sh) run (#8643)
* Fix favicon rewrite rule in .htaccess (#8654)
* Fix various PHP 8.2 warnings
* Fix bug where it wasn't possible to create more than one response record
on SQLite and Postgres (#8664)
* Fix support for ManageSieve over implicit SSL (#8670)
* Fix bug where "about:blank" page could trigger "load error" (#8554)
* Fix bug where setting 'Clear Trash on Logout' to 'all messages' didn't
work (#8687)
* Fix bug where the attachment menu wouldn't disappear after an action is
selected (#8691)
* Fix bug where some dialogs in an eml attachment preview would not close on
mobile (#8627)
* Fix bug where multiline data:image URI's in emails were stripped from the
message on display (#8613)
* Fix fatal error on identity page if Enigma plugin is misconfigured (#8719)
* Fix so N property always exists in a vCard export (#8771)
* Fix authenticating to Courier IMAP with passwords containing a '~'
character (#8772)
* Fix handling of smtp/imap port options on configuration file update
(#8756)
* Fix bug where array values could not be saved in utils/save_pref action
(#8781)
* Add workaround for using Roundcube behind a reverse proxy with a subpath:
'request_path' option (#8738, #8770)
* Fix bug where "Invalid skin name" error was logged on preferences save if
there's only one skin (#8825)
* Fix SIGBUS raised in ImageMagick when more than one process tried to
generate a thumbnail of the same image attachment (#8511)
* Fix bug where updater does not update the vendor packages (#8642)
* Fix missing mail composing textarea on reply/draft with a long plain text
content (#8866)
Postfix 3.7.4 (2023-01-22)
* Workaround: with OpenSSL 3 and later always turn on
SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
opportunities for TLS session reuse. This is safe because the SMTP
protocol implements application-level framing, and is therefore not
affected by TLS truncation attacks. Fix by Viktor Dukhovni.
* Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
lazily-bound handles for digest implementations. In sufficiently
hostile configurations, Postfix could mistakenly believe that a digest
algorithm is available, and fail when it is not. A similar workaround
may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.
* Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally; it should
evaluate the argument only if there was no prior error. Found during
code review.
* Bugfix (bug introduced in Postfix 2.8): postscreen died with a
segmentation violation when postscreen_dnsbl_threshold < 1. It
should reject such input with a fatal error instead. Discovered by
Benny Pedersen.
* Bitrot: fixes for linker warnings from newer Darwin (MacOS)
versions. Viktor Dukhovni.
* Portability: Linux 6 support.
* Added missing documentation that cidr:, pcre: and regexp: tables
support inline specification only in Postfix 3.7 and later.
Upstream changes:
version 1.01: Fri 11 Feb 11:25:41 CET 2022
Fixes:
- Coercion from Mail::Address to Mail::Message::Full::Address is
too lazy. Mail::Message issue #4
Upstream changes:
1.24
Thu 15 Dec 2022 12:28:00 GMT released
- [145263] Make no reply to MTA from the abort callback.
Such replies seem to cause problems for Postfix.
Upstream changes:
version 2.24: Wed 28 Dec 13:06:23 CET 2022
Fixes:
- vnd.gentoo officially took 'tar' and 'tbz2', but 'application/
x-tar' resp 'x-gtar' prevails. [Andreas Koenig]
version 2.23: Thu 22 Dec 17:20:33 CET 2022
Changes:
- iana updates
Upstream changes:
2.218 2023-01-08 19:49:09-05:00 America/New_York
- update author contact info
- bump version required to v5.12.0 (it was already effectively that
after some upstream changes)
2.217 2020-11-02 19:13:16-05:00 America/New_York (TRIAL RELEASE)
- add ->header_rename to header object
- issue a warning on non-ASCII codepoints added to message (thanks,
Pali Rohar)
Upstream changes:
1.953 2023-01-08 19:02:24-05:00 America/New_York
- as promised, this release no longer works on v5.8; in fact, due to
some upstream libraries, it hasn't in some time
- documentation has been cleaned up to stop referencing long-dead other
libraries or methods
- some small code changes to benefit from v5.10 and v5.12 improvements
Upstream changes:
1.008 2023-01-13 21:44:14-05:00 America/New_York
- use the version of Time::Local that doesn't guess at whether a year
is 99 or 1999
- skip tests on Win32 that never pass
- modernize just a bit of code
1.007 2022-12-31 21:19:59-05:00 America/New_York
- update author info
Upstream changes:
1.913 2023-01-09 19:41:25-05:00 America/New_York
- as ever, you should probably use Email::Address::XS instead
- this version now requires Perl v5.12
- some small tweaks to the code to take advantage of v5.12 made
- update distribution metadata
3.1.0
* Switch to libidn2.
* Debian/Ubuntu: update lintian overrides
3.0.9
* Adjust deb packaging. Check /etc/lsb-release and include the
distribution release in the deb package version, to faciliate
updating to the same version of the package in an updated release.
Fix build dependencies.
* Update deliverquota man page.
3.0.8
* gcc 12 and autotools update. OpenSSL 3.0 update.
* Add scripts to create installable .deb packages, update
documentation.
3.0.7
* configure.ac: Fix configure check for pcre2
3.0.6
* Fix linking failure on some Linux distributions.
3.0.5
* Fix linking failure on some Linux distributions.
3.0.4
* maildrop: update to pcre2
* Minor code tweaks, make it compileable with -Wall -Werror.
3.0.3
* Add maildirwatch helper tool.
* Fully install the maildirwatch tool, its man page, as well as the
maildirkw man page and tool, which should be packaged with maildrop
too.
3.0.2
* spec file: add BuildRequires: %{__make} (will be required in F34).
3.0.1
* courier-authlib API update.
Rails 7.0.4.2 (2023-01-24)
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
Rails 6.1.7.2 (2023-01-24)
www/ruby-actionpack61
* Fix `domain: :all` for two letter TLD
This fixes a compatibility issue introduced in our previous security
release when using `domain: :all` with a two letter but single level top
level domain domain (like `.ca`, rather than `.co.uk`).
On 2023-01-04, fetchmail 6.4.35 has been released. It updates translations and
bumps SSL/TLS library version requirements.
OpenSSL 1.1.1s and 3.0.7 and wolfSSL 5.5.1 (or newer on the respective
compatible branches - note that OpenSSL 1.1.1q and 3.0.6 were withdrawn) remain
supported.