8.12.10/8.12.10 2003/09/24
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
Fix a potential buffer overflow in ruleset parsing. This problem
is not exploitable in the default sendmail configuration;
only if non-standard rulesets recipient (2), final (4), or
mailer-specific envelope recipients rulesets are used then
a problem may occur. Problem noted by Timo Sirainen.
Accept 0 (and 0/0) as valid input for set MaxMimeHeaderLength.
Problem noted by Thomas Schulz.
Add several checks to avoid (theoretical) buffer over/underflows.
Properly count message size when performing 7->8 or 8->7 bit MIME
conversions. Problem noted by Werner Wiethege.
Properly compute message priority based on size of entire message,
not just header. Problem noted by Axel Holscher.
Reset SevenBitInput to its configured value between SMTP
transactions for broken clients which do not properly
announce 8 bit data. Problem noted by Stefan Roehrich.
Set {addr_type} during queue runs when processing recipients.
Based on patch from Arne Jansen.
Better error handling in case of (very unlikely) queue-id conflicts.
Perform better error recovery for address parsing, e.g., when
encountering a comment that is too long. Problem noted by
Tanel Kokk, Union Bank of Estonia.
Add ':' to the allowed character list for bogus HELO/EHLO
checking. It is used for IPv6 domain literals. Patch from
Iwaizako Takahiro of FreeBit Co., Ltd.
Reset SASL connection context after a failed authentication attempt.
Based on patch from Rob Siemborski of CMU.
Check Berkeley DB compile time version against run time version
to make sure they match.
Do not attempt AAAA (IPv6) DNS lookups if IPv6 is not enabled
in the kernel.
When a milter adds recipients and one of them causes an error,
do not ignore the other recipients. Problem noted by
Bart Duchesne.
CONFIG: Use specified SMTP error code in mailertable entries which
lack a DSN, i.e., "error:### Text". Problem noted by
Craig Hunt.
CONFIG: Call Local_trust_auth with the correct argument. Patch
from Jerome Borsboom.
CONTRIB: Better handling of temporary filenames for doublebounce.pl
and expn.pl to avoid file overwrites, etc. Patches from
Richard A. Nelson of Debian and Paul Szabo.
MAIL.LOCAL: Fix obscure race condition that could lead to an
improper mailbox truncation if close() fails after the
mailbox is fsync()'ed and a new message is delivered
after the close() and before the truncate().
MAIL.LOCAL: If mail delivery fails, do not leave behind a
stale lockfile (which is ignored after the lock timeout).
Patch from Oleg Bulyzhin of Cronyx Plus LLC.
Portability:
Port for AIX 5.2. Thanks to Steve Hubert of University
of Washington for providing access to a computer
with AIX 5.2.
setreuid(2) works on OpenBSD 3.3. Patch from
Todd C. Miller of Courtesan Consulting.
Allow for custom definition of SMRSH_CMDDIR and SMRSH_PATH
on all operating systems. Patch from Robert Harker
of Harker Systems.
Use strerror(3) on Linux. If this causes a problem on
your Linux distribution, compile with
-DHASSTRERROR=0 and tell sendmail.org about it.
Added Files:
devtools/OS/AIX.5.2
update provided by Adrian Portelli in PR pkg/22836.
* A crash bug when deleting currently opened folder has been fixed.
* The performance issue of the address book has been fixed.
* The behavior of manual signature insertion has been reverted.
* A crash bug on startup when a font can't be loaded has been fixed.
* The format of MIME boundary has been modified again.
* Other minor bugfixes have been made.
ok'ed by chris@
Patch provided by Adrian Portelli <adrianp@stindustries.net> via PR
pkg/22753.
Changes:
============================================================================
2003/08/12 (2.6.8)
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
4719 Spurious read_fmt_file call
------ ------------------------------------------------------------
<https://savannah.nongnu.org/bugs/?group=mhonarc>
============================================================================
2003/08/07 (2.6.7)
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
4569 Problem with unfolding can mess up boundary processing in
multipart messages.
4594 Initial space on lines removed when using fancyquote.
------ ------------------------------------------------------------
<https://savannah.nongnu.org/bugs/?group=mhonarc>
* Added LANG resource to define locale. Affects resource filename
resolution and message subject and author sorting.
* readmail.pl updated to define the following special header field
keys passed to filter routines:
x-mha-content-type The media type of the entity extracted from
content-type entity header
x-mha-part-number The relative part number of the entity with
respect to parent entity. To get the
absolute part number, use
readmail::get_full_part_number($fields).
x-mha-parent-header Reference to parent header fields hash.
This, and other data structures, are now mentioned in the MIMEFILTERS
resource page.
* Text/richtext tag, <samepage>, is quietly dropped in mhtxtenrich.pl.
* Correct a potential DOS attack in the fud daemon.
* Arbitron now works again
* Telemetry logging for mupdate
* Duplicate Suppression logging for redirect sieve actions
* A number of bugs in reconstruct have been fixed. also added the -p
and -x options
* Better stubbing out of user_deleteacl
* No longer log any shutdown() failures
* Improved IPv6 support (for systems with two getnameinfo
implementations)
* Misc Documentation Improvements
* Use ALL_TARGET appropriately instead of using a post-build target.
* Get rid of DEPTHFIRST* variables and do the "depth-first" listing by
using a reverse sort instead.
* Get rid of extra shell processes.
* Tabify.
now set to "pure_install" in perl5/module.mk, so we need to append the
additional target "inst_cfs" that is normally invoked by the "install"
target in ${WRKSRC}/Makefile.
- Fixed crash when processing subjects containing "[Fwd: ...]"
- Work around a problem with the Netscape Collabra NNTP server
implementation of the OVER command
- Try to correct for mail clients that wrongly use RFC 2047 instead
of RFC 2231 to encode their attachment filename parameters, which
confuses attachment saving and viewing of filenames of non-ASCII
character sets.
- Fixed potential security problems caused by maliciously-formed RFC
2231 attachment parameters
- Index lines displayed incorrectly for messages with empty subject
lines in threads
- Command-line argument -create_lu was broken in versions 4.55 and
4.56
- Delivery Status Notifications were broken when attempting to do
SMTP over TLS
- Pine hangs when adding an Extra Header in rules with BdyText line
at top of screen
- Possible crash if quell-content-id feature is on and a message
with more than one attachment is rejected by the SMTP server
- When an attached filetype was set by matching the extension, the
MIME charset wasn't being set
- predict-nntp-server didn't preserve flagged options for
nntp-server such as /ssl or /user
- PC-Pine disconnected mailbox icon stays yellow even after
reconnecting
- PC-Pine with the Microsoft SSL bug was crashing when doing bounce,
save, and full headers, which can now be prevented by setting the
quell-ssl-largeblocks feature
- PC-Pine with the Microsoft SSL bug was crashing when doing bounce,
save, and full headers, which can now be prevented by setting the
quell-ssl-largeblocks feature
imap-2002e is a minor release, released concurrently with Pine 4.57, and
contains primarily bugfixes. Programs written for imap-2002d should build
with this version without modification.
The NNTP client code now tries to perform better with legacy NNTP servers
which do not comply with the current NNTP protocol specification draft, most
notably Netscape Collabra.
Delivery notifications now work reliably with SMTP servers that support it.
The following changes are primarily of concern to developers and power users:
There is a "limited advertise" option in env_unix.c which, if set, will only
advertise the user's own namespace and the #shared/ namespace.
It is now possible to build the IMAP toolkit with a separate SSL KEY file
from the certificate file (SSLKEYS vs. SSLCERTS).
A new BODY structure element, sparep, is available for the main program to
use as a pointer for its own purposes; as well as a SET_FREEBODYSPAREP
function, similar to SET_FREEENVELOPESPAREP, SET_FREEELTSPAREP, etc.
directories too, and having both will cause the directories to be created with
the wrong owner/mode.
Thanks to Marc Recht for giving me details on this.
- Emergency fix: When you were using 'discard', and it was the last verb
affecting a message, the mbox spool files in the scan directory were not
cleaned up. This is fixed now.
Changes:
* The size, the position, and the visibility of separated views are
now remembered.
* The per-folder settings are now preserved even if a folder tree is
rebuilt.
* The receive dialog's option to display the dialog only on manual
receiving has been added.
* 'Top' and 'Bottom' button has been added on the filter setting
dialog.
* The UIDPLUS extension of IMAP4rev1 has been supported.
* The folder system has been cleaned up a bit.
* The sylpheed.spec file bundled in the source package has been
improved.
* The format of MIME boundary has been modified.
* A memory leak and a buffer overrun have been fixed.
Please review ChangeLog.claws to see the changes between 0.9.2 to
0.9.4, mostly those are bugfixes.
* 0.9.2
* The bug that removed messages from server if "Don't receive" action is
specified by the filter rule has been fixed.
* The bug that caused abort when a button is double-clicked on some
dialogs has been fixed.
* A warning that was displayed when address book was empty has been fixed.
* 0.9.1
* The bug in handling folder names which include '+' in IMAP4 modified
UTF-7 conversion has been fixed.
* The parsing of message/rfc822 parts in multipart messages has been
fixed.
* Several bugs of auto signature replacement has been fixed.
* A bug that didn't hide user string in the Action dialog has been fixed.
* Socket I/O timeout interval is now configurable.
* 0.9.0
* The multi-process network I/O has been implemented for POP3 and SMTP.
* The Action feature has been improved.
* The automatic signature replacement on account change has been
implemented.
* Hyperlinks of HTML messages are now correctly handled.
* The separated message view now has a menubar.
* Original messages' headers are now included as the preset keywords
on automatic filter creation.
* The verbose error messages are now displayed on POP3 and SMTP.
* The lines of the log window is now restricted to reduce the memory
usage.
* The Shift_JIS locale has been supported.
* The internal MIME structure has been cleaned up.
* Address names which have special characters are now correctly quoted.
* Slovak message catalog has been added.
* The header corruption bug on reediting has been fixed.
* The bug of UTF-7 encoding conversion has been fixed.
* A workaround for unknown timezones has been made.
* A workaround for wrapping problem on UTF-8 locale has been made.
* More workaround for crashes by illegal characters has been made.
* The crash bug in IMAP4 parser has been fixed.
* The crash bug of the composition window has been fixed.
* The colormap / visual problem on Solaris has been fixed.
* Other bugfixes have been made.
spamassassin. These patches remove all references to osirusoft from
the rules files (perhaps leaving some of the comments a tad stale),
but leaving information about them in the stats files.
This bumps us to 2.55nb2.
Based on pr pkg/22650 by Adrian Portelli.
Changes since 6.2.3:
* Updated German, Spanish, Catalan, and Turkish translations.
* IDLE is now supported using no-ops even if the server doesn't support
the IMAP IDLE extension.
* Sunil Shetye's patch to do better password shrouding.
* Sunil Shetye's bug-fix rollup patch.
* Introduce a translation item for the word "seen".
* Back out the hack to deal with lack of byte stuffing on some POP3 servers.
* Thomas Steudten's patch to improve SMTP handling of 550 errors.
Update exim-exiscan to 4.22-11nb1
Include exiqgrep in PLIST, and commit distinfo from previous exim-exiscan
change. Whole exim update was overly hurried due to security announcement.
11 - Fixed "permits" table in acl.c, so you can't "use"
exiscans conditions in the RCPT ACL any more. This
was causing a crash, not you get a proper warning.
- Fixed recursive unpacking when the MIME boundary of
the "parent" message contains spaces.
- Put in a fix for tnef.c that allows clean compile
on AIX. Thanks to David Kreindler
<david@govnet.state.vt.us>.
- Added some proper prototypes for some functions,
beautifying the compiler output with -Wall.
- Added exiscan patch version output to 'exim -bV'.
- Removed demime errors from the panic log.
Some highlights of changes since 4.2.3:
* PCRE updated to 4.3, GD to 2.0.15
* improved Apache2 support
* much improved stream & URL wrapper support, output compression support
* added CLI (Command Line Interface) SAPI
* debug_backtrace() backported from ZendEngine2
* faster build system
* huge number of other bug fixes and improvements
Packaging changes:
* 'pcre', 'xml', and 'session' modules folded back into main package -
'pcre' and 'xml' is required by PEAR, and 'session' is just too essential
to be separate
* 'gd' module now uses bundled PHP GD library, which is better integrated
* PHP modules use shared distinfo when possible to ease future PHP updates
* ${PREFIX}/bin/php is now CLI version, ${PREFIX}/libexec/cgi-big/php
remains CGI version
Changes include some improvements to the file detection mechanism,
interface to the f-prot virus scanner as well as quite a lot of bug
fixes. Note: the last pkgsrc version was from over 1.5 years ago.
USE_PKGINSTALL is "YES". bsd.pkg.install.mk will no longer automatically
pick up a INSTALL/DEINSTALL script in the package directory and assume that
you want it for the corresponding *_EXTRA_TMPL variable.
for a possessive (like her, his, whose, their, and its).
Note that I didn't check for proper use of "its" (when it should
be "it is" or "it has" instead).
I also saw over 15 other grammar or punctuation problems, but not
fixed in this commit.
Changes since last packaged version below.
Version 0.9.2 - 9 August 2003
-----------------------------
- Header includes additions, in order to build without warning/errors on
systems that do not conform to IEEE Std 1003.1-2001 (POSIX.1).
Version 0.9.1 - 8 August 2003
-----------------------------
- Bug fixes related to compilation warnings/errors caused by missing header
includes.
- Minor bug fix concerning an uninitialized variable.
Version 0.9 - 6 August 2003
---------------------------
- User authentication with the Challenge-Response Authentication Mechanism
(CRAM), specifically CRAM-MD5.
- Connection encryption using the IMAP STARTTLS extension.
- X509 certificate checking while establishing SSL/TLS connections.
- I18n support in the configuration file, along with the capability to specify
the character set of the search criteria.
- Date conversion specifiers in the name of the destination mailbox, based on
either the system's local time or the message's envelope "Date:" header.
- Default variable in the name of the destination mailbox, which expands to the
mailbox currently processed.
- In daemon mode, the SIGUSR1 signal wakes up the program from its sleep phase
and causes rereading of the configuration file.
Version 0.8.9 - 26 May 2003
---------------------------
- Fix of a bug which caused problems during the encryption/decryption of the
passwords file.
Version 0.8.8 - 25 May 2003
---------------------------
- Multiple bug fixes concerning the encrypted passwords editor, where in some
cases the passwords file was badly written and the program did not accept the
master passphrase.
Mew 3.3 release (2003/07/24)
Mew 3.3 release candidate 4 (2003/07/16)
* Set mew-icon-p to t on Emacs 21 when tool-bar is available.
KOSEKI Yoshinori <kose@yk.NetLaputa.ne.jp>
* Defining mew-highlight-x-face-function.
Tatsuya Kinoshita <tats@vega.ocn.ne.jp>
* Tuning up mew-summary-scan.
* mew-input-refile-folders sets inhibit-quit to nil to avoid
Emacs 21.3's bug.
* Security fix: stunnel now allows access from localhost only.
Koga Youichirou <y-koga@cq.jp.nec.com>
Mew 3.3 release candidate 3 (2003/06/23)
* Implementing mew-find-file-noselect2().
* Setting buffer-file-coding-system for Summary/Virtual mode
so that modeline displays "1".
* Loosen content-type check. ("Text" instead of "Text/")
Mew 3.3 release candidate 2 (2003/06/19)
* Security fix: Implementing mew-find-file-noselect to prevent
file-local variable attack.
* A bug fix for "mr" in Virtual mode.
* A bug fix for "mo".
Mew 3.3 release candidate 1 (2003/05/22)
* A bug fix for mew-smtp-queue again.
* A bug fix for handling Message-Id: in citation.
* Checking utf-translate-cjk-mode to set mew-internal-utf-8p.
* A bug fix for 7bit vs mew-convert-singlepart.
* The filename parameter for CDP:inline of CT: Message/.
* Moving the position of mew-make-message-hook so that ispell-message
works.
Changes since 3.2.1:
[mms] SECURITY: XSS vulnerabilities in the HTML viewer fixed (Ulf Harnhammar
<ulf@update.uu.se>).
[mms] SECURITY: If Horde 2.2.4 is available, additional code is used to
protect against session fixation issues.
[jan] Add Arabic (Syria) translation (Platinum Development Team
<devteam@platinum-sy.net>).
[jan] Add Arabic (Oman) translation (Said Al-Hosni <admin@wabhosting.com>).
[jan] Add Macedonian translation (Stojan Pesov <ssp@eureka.com.mk>).
[jon] Allow the spam reporting system to also use an external program.
[jan] Add IMP::rfc822WriteAddress() as a replacement for the buggy
imap_rfc822_write_address() function.
[jan] Add Thai translation (Surasak Srisawan <surasak@rirc.ac.th>).
[bjn] Add blacklist/whitelist hooks to Ingo.
[jan] Add Icelandic translation (Bjorn Davidsson <bjossi@snerpa.is>).
[mms] Correct display of filter rules with "special" HTML characters.
Changes to the Cyrus IMAP Server since 2.1.13
* Be more forgiving in the parsing of MIME boundry headers,
specificly those generated by eudora where the outer boundries are
substrings of the inner boundries. This feature can be disabled by
enabling the rfc2046_strict option.
* Allow cyradm to handle aggregate mailbox sets for ACL and DELETE
operations.
* Add a lmtp_downcase_rcpt option to force the lowercasing of
recipient addresses (Henrique de Moraes Holschuh <hmh@debian.org>).
* Include more MIME headers in sieve rejection notices
* Add an mbexamine command for debugging purposes
* LMTP will now fatal error if we cannot initialize the duplicate
delivery database.
* Continued audit by Security Appraisers and Bynari
* Correctly terminate the processes by calling service_abort even on
successful exit (helps to fix a db3 lockers problem)
* Fix some murder+altnamespace/unixhiersep issues
* Fix imclient's handling of literals.
* Add support for the windows-1256 character set
* Don't log 'could not shut down filedescriptor' messages when the
socket is already not connected
* Now include a script to convert sieve script names to the
altnamespace format
* Added a --with-extraident configure option to make it easier to set
the extra version information that is compiled into the binary.
* Minor build fixes.
* Minor other bug fixes.
OK'ed by chris@
YoSucker as a simple portable Perl application, that simulates user
actions to retrieve mail from Yahoo Mail to a local inbox. It simply
connects to the Yahoo Mail web site, parses the HTML code and
fetches new messages.
safecat is an implementation of D. J. Bernstein's maildir algorithm.
It can be used to write mail messages to a qmail-style maildir, or to
write data to a "spool" directory reliably. There are no lockfiles with
safecat, and nothing is left to chance. If safecat returns a successful
exit status, then you can be (practically) 100% sure your data is
safely committed to disk. Further, if data is written to a directory
using safecat (or other implementations of the maildir algorithm),
then every file in that directory is guaranteed to be complete. If
safecat fails to write all of the data, there will be no file at all
in the destination directory.
This program allows the body of a message to be filtered through a
series of filters before being passed to the real qmail-queue program,
and injected into the qmail queue.
Suggested by Greg Troxel <gdt at ir dot bbn dot com> in private mail.
Changes summary since 3.5.6 below.
Noteworthy changes in Mailcrypt version 3.5.8:
* mc-remail.el updated to support modern remailers (as defined by MixMaster
version 2.9b33, on sourceforge). Closes most of SF#583330.
** the 'Subject:' header is now put in the ## section instead of the ::
section, so remailers should copy them into the final message.
** Use Anon-To: instead of Request-Remailing-To
* fixed mc-gpg.el to cache passphrases by keyid instead of name; this will
help users who have multiple secret keys with the same name but different
passphrases. Closes Debian #161691.
* less noteworthy changes:
** added copy of GPL, since mailcrypt is distributed separately from Emacs
** Added unit test for anonymous remailer support. Encrypting through a
basic remailer chain can now be verified, if you have python and
py-gnupg installed.
** docs: updated 'finger' addresses for remailer lists again, since they
keep moving
Noteworthy changes in Mailcrypt version 3.5.7:
* Integration with the Mew mail client: added hooks to use in Mew summary,
draft, and message buffers. Note that Mew handles PGP-MIME (RFC3156,
"multipart/encrypted") messages by itself; this is just for traditional
armored "in-line" encryption.
* Gnus updates, now usable in summary buffer
* Less noteworthy changes:
** Added a unit test framework. GnuPG decryption now has test coverage.
** GnuPG updates
** MH fix to handle latest versions of mh-e that use read-only message buffers
** Don't use hardwired /tmp directory, might fix some problems on NT.
Collection.
OfflineIMAP is a tool to simplify your e-mail reading.
It synchronizes remote IMAP folders and local Maildir folders. It is fast
flexible and safe. It is also useful if you want to use a mail reader that
does not have IMAP support, has poor IMAP support, or does not provide
disconnected operation.
=================
BOGOFILTER NEWS
=================
$Id: CHANGES-0.14,v 1.15 2003/08/03 00:47:28 relson Exp $
0.14.202 2003-08-02
* Replaced use of memcpy() by memmove() in an input routine. The
overlapping copy migh cause data corruption on some systems.
* Fixed "make check" failures for bogoutil introduced with the
"combined wordlist" feature in 0.14.0. There has been a buffer
overflow. All users of bogofilter with combined wordlist prior to
0.14.2 are advised to upgrade.
* Fixed bogus "t.valgrind" test FAILures.
* Fixed uninitialized data in db_get_dbvalue(), for split word lists.
* New file, contrib/vm-bogofilter.el, provides an interface
between the VM mail reader and bogofilter."
* Revised lexer_v3.l for compatibility with flex-2.5.31
* Break up long line in regression test input for Solaris 2.5
compatibility.
0.14.1.1 2003-08-01
* Fixed check for adding spam_subject_tag to Subject: line.
* Updated French version of FAQ.
2003-07-31
* Correct problem with t.degen regression test.
0.14.1 2003-07-31
* Updated English version of FAQ.
2003-07-29
* Initial release of token degeneration code.
2003-07-25
* Revised lexer pattern to better recognize encoded tokens.
2003-07-24
* Implemented named exitcodes, with Unsure having its own
value (2) and changing the value for error from 2 to 3.
0.14.0.1 2003-07-23
* Fix problem with encoded text.
* Fix handling of absolute paths.
* Fix defect in base64 decoding that can cause segfaults.
* Bogoutil now complains before exiting when it can't open a
file.
* Updated bogominitrain.pl to work with combined wordlists.
0.14.0 2003-07-22
* Updated contrib/bogominitrain.pl prints more info and can save
messages used in training.
* Miscellaneous documentation updates.
2003-07-21
* Decode encoded text in header lines.
2003-07-19
* Bogofilter and bogoutil detect whether one or two wordlists
are in BOGOFILTER_DIR and use the appropriate wordlist mode
(combined or separate).
* Bogofilter's -V output now includes algorithm and database
info.
2003-07-18
* Default wordlist mode is single, combined wordlist.
File wordlist.db contains all spam and ham tokens.
2003-07-17
* Added tdb (trivial database) support.
2003-07-16
* Initial release of code allowing bogofilter to use a single,
combined BerkeleyDB database for storing both ham and spam
tokens. The file is named wordlist.db.
- Introduce EXIM_GROUP and EXIM_USER to tune the details of the group and
user used by the daemon.
- Honour PKG_SYSCONFDIR.
- Install sample files under the examples directory.
- Automatically install example files under sysconfdir using CONF_FILES.
This simplifies exim's set up from admin's point of view.
- Use RCD_SCRIPTS to handle the startup script.
As a result, bump PKGREVISION of exim and exim-user.
the mean time. Update to MHonarc 2.6.6, based on patch from adrian.portelli@stindustries.net:
============================================================================
2003/07/21 (2.6.6)
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
4387 m2h_text_plain::filter maxwidth usage can lead to crash
with a certain kind of input
------ ------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.6&chunksz=50>
============================================================================
2003/07/19 (2.6.5)
* Bug Fixes:
Bug ID Summary
------ ------------------------------------------------------------
4126 Typo in mhopt.pl causes error message for big5
character set
4315 allowcomments' directive to filter() is ignored
------ ------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.5&chunksz=50>
* An architecture independent RPM package is now provided for
installation. Because of this, the package name format has slightly
changed to be consistent RPM, and other, package managers:
Old format New Format
------------- -------------
MHonArcX.X.X MHonArc-X.X.X
Installation document has been updated to reflect this change.
If you create third-party distribution bundles for MHonArc, you may
need to update your bundling process to take account of this change,
mainly because the directory created when extracting the tar or
zip bundles now include the hyphen.
============================================================================
2003/06/20 (2.6.4)
* Bug Fixes:
+ Official:
Bug ID Summary
------ ------------------------------------------------------------
3478 Quoted-Printable decoding should also work with
lowercase hex numbers
------ ------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.4&chunksz=50>
+ Unoffical:
- It appears that the UTF8 mapping table for cp1252,
MHonArc::UTF8::CP1252, had bad data. This has been
fixed.
* Management of character mapping tables have been changed. The
various .pm module tables are now auto-generated by ucm, and
similiar, map files. For the end-user, the change should be
transparent. The change only affects how developers maintain
the tables, and the change should make it much easier to make
fixes to any mappings.
============================================================================
2003/04/05 (2.6.3)
* Bug Fixes:
Bug ID Summary
------ --------------------------------------------------------------
3020 Trailing \ in regex
3128 XSS Vulnerabilies
2971 spammode option interferes with iso-2022-jp
------ --------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.3&chunksz=50>
============================================================================
2003/03/11 (2.6.2)
* Bug Fixes:
Bug Resolution Fixed Summary
ID Release
2738 Fixed 2.6.2 An illegal From: address can cause MHonArc
to hang
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.2&chunksz=50>
============================================================================
2003/02/22 (2.6.1)
* Bug Fixes: See
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.1&chunksz=50>
* Corrected character mapping tables for VISCII based on a
message to the perl-unicode mailing list.
* Added FASTTEMPFILES resource which causes MHonArc to use
non-random temporary files. This is less secure, but provides
a little bit of speed improvement.
============================================================================
2003/02/10 (2.6.0)
* Bug Fixes: See
<http://savannah.gnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.0&chunksz=50>
* New resources:
DEFCHARSET Default character set of message text data.
CHARSETALIASES Define aliases for base charset names.
DBFILEPERMS File permissions for DBFILE.
FIELDSTORE Message header fields to store in database.
FILEPERMS File permissions for archive files.
ICONURLPREFIX URL string to prepend to ICONS URLs.
MODIFYBODYADDRESSES Apply ADDRESSMODIFYCODE to text message bodies.
RECONVERT Reconvert existing messages.
TENDBUTTON Button to last message in thread.
TENDBUTTONIA Inactive button to last message in thread.
TENDLINKIA Inactive link to last message in thread.
TENDLINK Link to last message in thread.
TEXTENCODE Encode message text to given character encoding.
TTOPBUTTON Button to first message in thread.
TTOPBUTTONIA Inactive button to first message in thread.
TTOPLINKIA Inactive link to first message in thread.
TTOPLINK Link to first message in thread.
* New resource variables:
$ICONURLPREFIX$ Value of ICONURLPREFIX resource.
$MSGHFIELD$ Retrieve header field value stored via
FIELDSTORE.
* MHonArc::CharEnt:
+ Several charset mappings added to MHonArc::CharEnt with the
default value for CHARSETCONVERTERS updated to reflect the new
mappings. New charset supported include UTF-8, various Cyrillic
sets, VISCII, Chinese sets, Japanese (iso-2022-jp and euc-jp),
Korean, Apple-based charsets, etc. See the documentation for
the CHARSETCONVERTERS and CHARSETALIASES for complete list of
character sets supported.
Note: Sets that have bidirectional rendering (Hebrew, Arabic)
exist, but automatic directional re-ording for rendering is
currently not supported.
. Some existing mappings have been updated to use Unicode numeric
character entity references (&#xHHHH;) instead of standard SGML
character entity references (eg. &Aelig;). Most, if not all,
web browsers only support the set of SGML entity references
defined in the HTML 4.0 specification.
All existing tables should now generate entity references
recognized by all HTML 4.0 compliant browsers.
* MHonArc::UTF8:
. Module completely redone to support various versions of Perl.
utf8 support code added to all conversion to utf8 with perl
installations that do not have utf8 support, but to also
leverage perl installations with utf8-related modules.
* Default filter for iso-8859-1 and iso-2022-jp changed to
MHonArc::CharEnt::str2sgml. This helps keep MHonArc locale
neutral in its default configuration. Special note added
to release notes for Japanese users about the change.
* m2h_text_plain::filter (mhtxtplain.pl):
+ Added more robust handling of format=flowed data. By default,
all text is rendered in a monospaced font to provide visual
consistency between flowed and fixed text. Proportional spaced
font can be generated using the "nonfixed" option (where
"keepspace" option should also be used to help preserve the
formatting characteristics of the data).
+ Added "fancyquote" option to provide highlight of quoted text
similiar to text/plain;format=flowed data.
+ Added "disableflowed" option to disable the flowed data
conversion. Data will be converted as regular text/plain.
This option is useful for archives that cater to text-based
browsers.
+ Added "quoteclass=<classname>" option to specify a CSS classname
to assign to BLOCKQUOTE elements added when processing flowed
data or when "fancyquote" is active. This suppresses inline
style generation.
+ Added "subdir" option for use when "uudecode" is enabled.
- Reduced set of quote characters to just '>'. Other characters
are used by some people (eg. '}', '|', '+'), especially on the
USENET, but supporting them tends to produce undesirable
results, especially when using fancyquote.
(Maybe make it configurable?)
+ If uudecode and usename specified, check if file ends in
.s?html?, and if so, pass data to HTML filter.
. Make sure to return a non-empty string for an empty body
when in uudecode mode. Avoids bogus warning message that
data could not be converted.
* MIMEEXCS automatically handles unofficial version of a media type.
For example:
<MIMEEXCS>
text/html
</MIMEEXCS>
Will exclude text/html and text/x-html data.
* m2h_text_html::filter (mhtxthtml.pl):
+ CHARSETCONVERTERS is used for converting character data.
- Removed default=charset option. This option is no longer
needed with new character encoding processing features and
CHARSETALIASES resource.
+ Convert javascript:... URLs to "_javascript_:..." when scripting
is disabled (the default). This is an extra measure ontop of
element and attribute stripping.
* <a href>'s are now preserved when cid: only URLs enabled (the
default). This prevents regular hyperlinks in HTML messages from
getting stripped, which I think most people desire. Otherwise,
the allownoncidurls option must be used, and then this opens one
up to potential XSS attacks.
Due to the javascript: URL munging, preserving <a href>'s should
be safe from auto-XSS attacks. Readers should still be careful
about any links they activate.
+ Added "subdir" option to specify that MHTML referenced data
(e.g. images) are saved in a subdirectory.
+ Added "disablerelated" to disable cid: URL resolution.
. STYLE and CLASS attributes stripped if nofont argument specified.
* m2h_text_enriched::filter (mhtxtenrich.pl):
+ CHARSETCONVERTERS is used for converting character data.
+ <lang><param>lang</param> is now mapped to <dir lang="lang">.
+ Added handling of some text/richtext tags.
. Escape unrecognized tags.
* Archive file creation modified to minimize the local symlink exploits:
1. A temp file with a random name is first created and written to.
2. Temp file is compressed if GZIPFILES is active.
3. Temp file is renamed to final filename.
4. File permissions are set according to FILEPERMS/DBFILEPERMS.
Using a random temp filename makes it difficult for someone to
predict filenames to execute a symlink exploit. The rename operation
is immune to symlink exploits, hence trying to using well-known names
(e.g. maillist.html, threads.html) for exploitation will not work.
A similiar technique is used for directory creation for filters
that support the "subdir" option.
Generation of temp files is done via the File::Temp module, if
installed. If not installed, a homegrown implementation is used.
Although not as secure and robust as File::Temp, it's better than
nothing and should provide a decent deterrent.
* Setuid/setgid execution causes mhonarc to terminate with an error.
Mhonarc does not pass taint checks, so we abort with an error that
setuid/setgid execution is not supported. MHonArc is too insecure
for setuid operation and trying to make it setuid-safe would require
alot of work and potentially limit a large amount of functionality.
* More robust parsing used for determining $FROMNAME$ and $FROMADDR*$
resource variables.
* rfc822.pl library removed and replaced with MHonArc::RFC822 module.
* Warning message, "Unable to process data..." removed from message
page when unable to convert any part of a message (usually due to
user-defined MIMEFILTERS settings). Instead, a warning message
is generated to standard error (like other mhonarc warnings) and
the resulting message page will have a blank message body.
* m2h_msg_extbody::filter: (mhmsgextbody.pl)
+ Added support for http/x-http access type. This appears to
be an experimental access type since the general URI type can be
used instead.
. Properly sanitize parameter data.
. Some minor cosmetic changes in the HTML generated.
* m2h_text_tsv::filter (mhtxttsv.pl):
. Sanitize field data.
* m2h_text_setext::filter (mhtxtsetext.pl) has been removed. It
appears this media-type is part of document history.
systems: if no /usr/include/des.h is present, symlink
${BUILDLINK_DIR}/include/openssl/des.h to ${BUILDLINK_DIR}/include/des.h,
so the code can always see the old interface as <des.h>.
* Remove "Feel free to send more messages" text from vacation messages.
* Disable gzip for Opera attachment download.
* Fixed config->prayer_user expansion.
* fatal() shouldn't dump core if root.
* Fixed abook_list boundary condition when current entry is last on page.
* Added message download link for Message/RFC822 sections.
* Fix session_server() ping interval logic.
* Other bug-fixes
