Changes since version 6.3.6:
- Make the APOP challenge parser more distrustful and have it reject
challenges that do not conform to RFC-822 msg-id format, in the hope
to make mounting man-in-the-middle attacks (MITM) against APOP a bit
more difficult. (CVE-2007-1558)
- Fix pluralization of oversized-message warning mails.
- Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
"recommended:" in bold.
- Repoll immediately if a protocol error happens during the authentication
attempt after a failed opportunistic TLS upgrade.
- Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes
section.
- If SOCKS support was compiled in, add 'socks' to the feature_options
Python list emitted in --configdump.
- Do not crash with a null pointer dereference when opening the BSMTP file
fails. Improve error checking and reporting.
- Make BSMTP output actually work, it would persistently fail with SOCKET
error after writing the first header.
- Fix KPOP.
- Fix repoll when server disconnects after opportunistic TLS failed for
POP3.
The list of changes since version 6.2.5.5 is too large to mention here.
The new version provides a fix for the vulnerability reported in the
fetchmail-SA-2006-02.txt advisory.
Change homepage to http://fetchmail.berlios.de/ and update MASTER_SITES.
Changes introduced since 6.2.5:
fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.
The fetchmail 6.2.5.X branch will be discontinued early in 2006.
fetchmail-6.2.5.5 2005-12-19 Matthias Andree
* SECURITY FIX CVE-2005-4348: fix null pointer dereference in
multidrop mode when the message is empty. Reported by Daniel Drake
<http://article.gmane.org/gmane.mail.fetchmail.user/7573> and others
(Debian Bug #343836). Fix by Sunil Shetye.
* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
fails. Fix suggested by Goswin Brederlow.
* Add fetchmail-SA-2005-{01,02,03}.txt
fetchmail-6.2.5.4 2005-11-13 Matthias Andree
* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
yacc or bison.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
the source directory), but prevent packaging from separated build, it
yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.
fetchmail-6.2.5.3 2005-11-12 Matthias Andree
* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Build environment: Update included gettext. Fix
--with-included-gettext. Fix parallel build (make -j). Fix "always
rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).
fetchmail-6.2.5.2
(patch Fri Jul 22 01:52 GMT 2005,
tarball Sat Jul 23 21:34 GMT 2005)
* README: Added a note about release status - READ IT!
* Note: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX CVE-2005-2335: truncate UIDL replies, lest malicious or
compromised POP3 servers overflow fetchmail's stack. Debian bug
#212762. This is a remote root exploit.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
The added patches add a prefix "fm_" to lock related finctions, to avoid name
clash with darwin lock functions. Link with -lresolv under darwin.
(thanks scole_at_sdf.lonestar.org for the patches)
Bump PKGREVISION
For more details have a look at
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
Changes listed within the NEWS file since 6.2.5:
fetchmail-6.2.5.2 (Fri Jul 22 01:52 GMT 2005):
* NOTE: Due to a Makefile.in bug, you may need to use GNU make.
* SECURITY FIX: truncate UIDL replies, lest malicious or compromised
POP3 servers overflow fetchmail's stack. Debian bug #212762.
This is a remote root exploit. CVE Name: CAN-2005-2335.
Thanks: Miloslav Trmac for pointing out the fix in 6.2.5.1 was buggy.
Thanks: Ludwig Nussel for a much simpler fix.
* Critical fix: omit blank between MAIL FROM: and <user@example.org>,
as this causes mail loss with some listeners.
* Fix: POP2 driver wouldn't properly check authentication failure.
* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
for each package can be determined by invoking:
make show-var VARNAME=PKG_OPTIONS_VAR
The old options are still supported unless the variable named in
PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
Based on pr pkg/22650 by Adrian Portelli.
Changes since 6.2.3:
* Updated German, Spanish, Catalan, and Turkish translations.
* IDLE is now supported using no-ops even if the server doesn't support
the IMAP IDLE extension.
* Sunil Shetye's patch to do better password shrouding.
* Sunil Shetye's bug-fix rollup patch.
* Introduce a translation item for the word "seen".
* Back out the hack to deal with lack of byte stuffing on some POP3 servers.
* Thomas Steudten's patch to improve SMTP handling of 550 errors.
Changes since 6.2.2:
* German, Danish, Spanish, and Turkish translations updated.
* Brian Sammon's patch to deal with malformed message lines containiing NULs.
* Fai's patch to ignore all but the first Return-Path (some spams have
more than one of these).
* Benjamin Drieu's ptch to properly byte-stuff when talking to BSNTP.
Fixes Debian bug #184469.
* Benjamin Drieu's patch to enable auth=cram-md5.
Fixes Debian bug #185232.
* Sunil Shetye's configure.in patch to avoid spurious search order messages
from GCC.
* Header-reading code now copes better with lines ending in \n only.
* Elias Israel's patches for POP3 NTLM support and dealing with byte-
stuffing failures at socket level.
Changes since last version:
* Sunil Shetye's patch to improve behavior in empty messages.
* Conform to RFC2595; reissue capability probes after successful
STARTTLS negotiation.
* Sunil's patch to make handling of failed STARTTLS more graceful.
* Sunil's JF2 fix patch for .fetchmailrc security fix.
* Christophe GIAUME <christophe@giaume.com> finished the implementation
of RFC2177 IDLE.
* Jason Tishler's fix patch for Cygwin.
* Support ssh-style authentication in POP3
* Fix for Debian bug #108977, clean up config file evaluation,
by Benjamin Drieu.
* Updated German, Turkish, Spanish, and Danish translation files.
* Integrated Sunil Shetye's patch to make mark_seen an explicit method.
* Removed FAQ warning about GMX and associated fetchmailconf check,
we have a report that its servers are conformant now.
* Another Sunil patch to fix a minor bug in bouncemail generation.
Changes since version 6.1.2:
- Applied Steffen Esser's fix for a buffer-overflow bug in rfc822.c
- Updated Danish, German, and Turkish translation files.
- Sunil Sheye's SMTP timeout patch.
- Updated Turkish, Danish, German, Spanish, Catalan po files.
- Added Slovak support.
- Configure.in update for autoconf 2.5 (Art Haas).
- Be case-insensitive when looking for IMAP responses.
- Fix logout-after-idle-delivery bug (Sunil Shetye).
- Sunil Shetye's patch to bulletproof end-of-header detection.
- Sunil's fix for the STARTTLS problem -- repoll if TLS nabdshake
fails. The attenmpt to set up STARTTLS can be suppressed with 'sslproto ""'.
This is needed so fetchmail properly detects shark and cats as arm boxen.
Note it does mean that we now give warnings about missing, but there's no
glue in mk/bsd.pkg.mk to link the gnu-config/missing into a package.
Maybe there should be.
Tested on shark, cats and i386.
changes since 6.1.0:
fetchmail-6.1.2 (Thu Oct 31 11:41:02 EST 2002), 22135 lines:
* Jan Klaverstijn's verbosity-lowering patch.
* Updated Turkish, German, Catalan, and Danish translation files.
* Fix processing of POP3 messages with missing bodies.
* Minor fixes by Sunil Shetye: fix generation of auth fail note, handle
unexpected SIGALRM, plug memory leak, handle lines beginning with '\0',
try to bulletproof error handling against read failures.
fetchmail-6.1.1 (Fri Oct 18 14:53:51 EDT 2002), 22087 lines:
* OTP fix patches from Stanislav Brabec <utx@penguin.cz>
* fix patch for writing antispam capability correctly in conf.c.
* Fix patches for Debian bugs #162571, #156592.
* Correction to manpage re -b and qmail.
* Patch to disable use of STLS if auth passwd is specified.
* Fix specfile generation to handle SSL correctly.
* New Danish, Turkish, and Catalan translation files.
* Improved ODMR debug messages.
* IMAP efficiency hack; don't fetch sizes unless needed.
* Detect and rewrite invalid return paths beginning with @.
* Fix for subtle freeing bug that suppressed information in some bounce msgs.
* Newline fix patches for internationalization files.
* Fix reversed test guarding authentication-failure warnings.
* Fix POP3 breakage starting at 5.9.14.
Because of the recent vulnerability, it is strongly encouraged to update
(http://security.e-matters.de/advisories/032002.html).
Thanx to Alan Post <apost@interwoven.com> for giving me a note.
fetchmail-6.1.0 (Sun Sep 22 18:31:23 EDT 2002), 21999 lines:
* Updated French translation.
* Stefan Esser's fix for potential remote vulnerability in multidrop mode.
This is an important security fix!
fetchmail-6.0.0 (Tue Sep 17 19:48:25 EDT 2002), 21972 lines:
* Applied Matt Kraai's fix for minor Debian bug #144539.
* Nerijus Baliunas's patch to support STARTTLS over IMAP.
* More cleanups and minor bugfixes from Sunil Shetye.
* Default antispam-response list is now empty.
* Updated de and po translations,
fetchmail-5.9.14 (Fri Sep 6 05:03:25 EDT 2002), 21932 lines:
* Sunil Shetye's patch to eliminate multiple bounces.
* Moritz Jodeit <moritz@jodeit.org>'s patch for re-exec with no args.
* Sunil Shetye's patch to solve the re-exec problem with relative files.
* Cygwin portability patch (use ROOT_UID) from Jason Tishler.
* Workaround for the CAPA error problem is documented in the FAQ.
* Updated Polish, Danish, and Catalan translations.
* Sunil Shetye's patch to improve CAPA error handling.
* Sunil Shetye's patch to improve handling of unreadable boxes in POP3.
* Berkeley port fix for Kerberos IV.
