This is an important bug fix release, addressing CVE-2020-28896. Mutt had
incorrect error handling when initially connecting to an IMAP server, which
could result in an attempt to authenticate without enabling TLS.
2020-11-20 Richard Russon <rich@flatcap.org>
* Security
- imap: close connection on all failures
* Features
- alias: add <limit> function to Alias/Query dialogs
- config: add validators for {imap,smtp,pop}_authenticators
- config: warn when signature file is missing or not readable
- smtp: support for native SMTP LOGIN auth mech
- notmuch: show originating folder in index
* Bug Fixes
- sidebar: prevent the divider colour bleeding out
- sidebar: fix <sidebar-{next,prev}-new>
- notmuch: fix <entire-thread> query for current email
- restore shutdown-hook functionality
- crash in reply-to
- user-after-free in folder-hook
- fix some leaks
- fix application of limits to modified mailboxes
- write Date header when postponing
* Translations
- 100% Lithuanian
- 100% Czech
- 70% Turkish
* Docs
- Document that $sort_alias affects the query menu
* Build
- improve ASAN flags
- add SASL and S/MIME to --everything
- fix contrib (un)install
* Code
- my_hdr compose screen notifications
- add contracts to the MXAPI
- maildir refactoring
- further reduce the use of global variables
* Upstream
- Add $count_alternatives to count attachments inside alternatives
* Fix build with lang/rust-1.47.0.
Changelog:
78.5.0
What's New
OpenPGP: Added option to disable attaching the public key to a signed message
MailExtensions: "compose_attachments" context added to Menus API
MailExtensions: Menus API now available on displayed messages
Changes
MailExtensions: browser.tabs.create will now wait for "mail-delayed-startup-finished" event
Fixes
OpenPGP: Support for inline PGP messages improved
OpenPGP: Message security dialog showed unverified keys as unavailable
Chat: New chat contact menu item did not function
Various theme and usability improvements
Various security fixes
#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
#CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls
#CVE-2020-26953: Fullscreen could be enabled without displaying the security UI
#CVE-2020-26956: XSS through paste (manual and clipboard API)
#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions
#CVE-2020-26959: Use-after-free in WebRequestService
#CVE-2020-26960: Potential use-after-free in uses of nsTArray
#CVE-2020-15999: Heap buffer overflow in freetype
#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
#CVE-2020-26965: Software keyboards may have remembered typed passwords
#CVE-2020-26966: Single-word search queries were also broadcast to local network
#CVE-2020-26968: Memory safety bugs fixed in Thunderbird 78.5
78.4.3
Fixes
User interface was inconsistent when switching from the default theme to the dark theme and back to the default theme
Email subject would disappear when hovering over it with the mouse when using Windows 7 Classic theme
78.4.2
Fixes
Security fix
#CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for
78.4.1
What's New
Thunderbird prompts for an address to use when starting an email from an address book entry with multiple addresses
Fixes
Searching global search results did not work
Link location was not focused by default when adding a hyperlink in message composer
Advanced address book search dialog was unusable
Encrypted draft reply emails lost "Re:" prefix
Replying to a newsgroup message did not open the compose window
Unable to delete multiple newsgroup messages
Appmenu displayed visual glitches
Visual glitches when selecting multiple messages in the message pane and using Ctrl+click
Switching between dark and light mode could lead to unreadable text on macOS
78.4.0
What's New
MailExtensions: browser.tabs.sendMessage API added
MailExtensions: messageDisplayScripts API added
Changes
Yahoo and AOL mail users using password authentication will be migrated to OAuth2
MailExtensions: messageDisplay APIs extended to support multiple selected messages
MailExtensions: compose.begin functions now support creating a message with attachments
Fixes
Thunderbird could freeze when updating global search index
Multiple issues with handling of self-signed SSL certificates addressed
Recipient address fields in compose window could expand to fill all available space
Inserting emoji characters in message compose window caused unexpected behavior
Button to restore default folder icon color was not keyboard accessible
Various keyboard navigation fixes
Various color-related theme fixes
MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
Various security fixes
Security fixes:
#CVE-2020-15969: Use-after-free in usersctp
#CVE-2020-15683: Memory safety bugs fixed in Thunderbird 78.4
78.3.3
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP message status icons were not visible in message header pane
OpenPGP Key Manager was missing from Tools menu on macOS
Creating a new calendar event did not require an event title
78.3.2
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixed
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
This release fixes a compilation issue on a few platforms, and clarifies the
pattern completion function in the UPDATING file. No other changes were made.
Changelog:
What's new in notmuch 0.31.2
=========================
Build
-----
Catch one more occurence of "version" in the build system, which
caused the file to be regenerated in the release tarball.
What's new in notmuch 0.31.1
=========================
Library
-------
Fix a memory initialization bug in notmuch_database_get_config_list.
Build
-----
Rename file 'version' to 'version.txt'. The old file name conflicted
with a C++ header for some compilers.
Replace use of coreutils `realpath` in configure.
Change since version 1.14.7:
+ Domain-literal support for email addresses, e.g user@[IPv6:fcXX:...]
! Buffy completion only occurs for the "change-folder" set of functions.
It has been disabled for <attach-message>, <write-fcc>, the fcc
mailbox prompt, and the autocrypt scan mailbox prompt.
! The "save/copy message to mailbox" set of functions use the "mailbox"
history list, instead of the "filename" list.
! Message-ID extraction permits values missing angle brackets and '@'
to allow properly threading the garbage sent by some providers.
Mutt will add missing angle brackets when sending out replies, however.
! When adding multiple attachments, via <attach-file> in the compose menu,
the browser menu can be exiting via <quit> after tagging the files.
Previously, <select-entry> had to be used.
! ctrl-p/ctrl-n are by default bound to <history-up>/<history-down> in the
editor menu.
+ The "cd" command allows changing the current working directory.
As part of this, Mutt expands relative paths internally. There
may be a change to some "prettified" relative paths because of this.
! Some configuration variable default values are localizable by
translators. Currently these are: $attribution, $compose_format,
$forward_attribution_intro, $forward_attribution_trailer, $status_format,
$ts_icon_format, $ts_status_format.
+ Mutt will try to automatically reconnect to an IMAP mailbox on error,
and will merge unsync'ed changes if possible.
! $crypt_protected_headers_subject defaults to "...", following the
protected headers revised specification.
! Date, From, To, Cc, and Reply-To headers are stored as protected headers.
+ XOAUTH2 support. Please see the manual, contrib script mutt_oauth2.py,
and mutt_oauth.py.README for more details.
+ $tunnel_is_secure, default set, assumes a connection via $tunnel is
encrypted. Unsetting this will cause $ssl_starttls and $ssl_force_tls
to be respected.
+ Patterns are tab-completable in the editor menu.
! $reply_to is consulted before $reply_self.
+ $copy_decode_weed, default unset, controls header weeding for <decode-copy>
and <decode-save>.
+ $pipe_decode_weed, default set, enables header weeding for <pipe-message>.
+ $print_decode_weed, default set, enables header weeding for <print-message>.
! format=flowed attachments are space-unstuffed when viewed, saved,
piped, and printed.
+ The "run" command will execute MuttLisp. $muttlisp_inline_eval, if set, will
execute unquoted parenthesized command arguments as MuttLisp. Please see
the manual for more details about both.
+ $cursor_overlay, when set, will overlay the indicator, tree,
sidebar_highlight, and sidebar_indicator colors onto the current line.
"default" colors will be overridden and attributes will be merged.
! The message-id generation algorithm uses a random number instead of
the step counter and PID.
! $ssl_force_tls defaults set. (Trying this again for 2.0).
! $hostname is set *after* muttrc processing. It can be manually set
in the muttrc to avoid using DNS calls to obtain the FQDN.
+ $attach_save_dir specifies a directory to use when saving attachments.
CurveCP support.
qmail-qremote resolves IP addresses for SMTP server and then calls
either tcpclient or qmail-curvecpclient for TCP or CurveCP connections,
respectively. Once the connection is established, qmail-rsmtp executes
to send mail via SMTP.
IMAPClient is an easy-to-use, Pythonic and complete IMAP client library
on top of the standard library.
- Arguments and return values are natural Python types.
- IMAP server responses are fully parsed and readily usable.
- IMAP unique message IDs (UIDs) are handled transparently.
- Internationalised mailbox names are transparently handled.
- Time zones are correctly handled.
- Convenience methods are provided for commonly used functionality.
- Exceptions are raised when errors occur.
nopop3d is not a POP3 server. It can be useful as part of a simple
authentication service that happens to be implemented as POP3.
nopop3d consists of qmail-pop3d with several POP3 verbs and all the file
access removed.
Update Ruby on Rails 6.0 related packages to 6.0.3.4.
This is security fix for ruby-actionpack60.
## Rails 6.0.3.4 (October 07, 2020) ##
* [CVE-2020-8264] Prevent XSS in Actionable Exceptions
## 1.0 (2020-09-12)
* Caution! Backwards incompatible changes:
* As a message name, `-` now refers to the message on the standard input,
and not the the previous message anymore. Use `.-` to refer to
the previous message in a short way.
The tools will print a warning if you use `-` and the standard input
comes from a TTY.
* mpick: use the -F flag to read script files.
* mpick: remove msglist support, use plain mmsg(7) arguments.
* Many mblaze tools now make use of pledge(2) on OpenBSD.
* add contrib/mcount, a tool to count mails
* mrep: use Reply-From configuration to find From header
* Many bug fixes.
## 0.7 (2020-05-15)
* All tools now follow symlinks to mails.
* mdirs: add -a to list all subfolders, ignoring Maildir++ convention.
* mcom: add preview alias for show command.
* mrep/mbnc: allow only one message as argument.
* maddr: add -d to only print display name.
* mthread: add -r to reverse top-level order.
* mlist: print number of matches when message selection is in place.
* mpick: many improvements.
* Many bug fixes.
Notable bugs fixed:
- Last release introduced a bug where Date: headers were localized,
which is against RFC. Further, that localization then broke character
rendering in some locales. A new fix for the original issue (#17) was
put in place, which no longer localizes the Date: header and fixes the
newly introduced rendering issue (#25)
- Last release introduced a bug which prevented –protect-prompt from
working. This is now fixed (#26)
New features:
- Added .netrc support
- Added –tls-sni option
- Swaks is now available on CPAN as App::swaks
- Swaks will now print errors if deprecated functionality is used
Notable changes:
- Automatic file detection is deprecated. Previously, if an argument
to –data, –body, –attach-body, and –attach resolved to an
openable file, the contents of that file would be used as the actual
argument. Now the proper way to do this is to place '@' in front
of the argument to state explicitly that the argument contents are
in a file.
- If any of the –xclient-* family of options (–xclient-name,
–xclient-addr, etc) is provided more than once, only the last option
provided will be used. See –xclient option if you need to simulate
the previous behavior
- -g option is now deprecated
- Time::Local is no longer used and POSIX is now listed as a
required module
Notable bugs fixed:
- Fix for subtle issue related to environment variable options. Affected
error handling for options which required args.
- Fix issue preventing XCLIENT and STARTTLS from working together
properly (#21)
- Fix issue which could cause generated date header to oscillate on the
day of DST transition (#17, deb bug 955798)
Changelog:
Changes
Thunderbird will no longer automatically install updates when Preferences tab is opened
Fixes
OpenPGP: Improved support for encrypting with subkeys
OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
Single-click deletion of recipient pills with middle mouse button restored
Searching an address book list did not display results
Windows installer was unreadable with Windows in high contrast mode
Dark mode, high contrast, and Windows theming fixes
API changes:
* refactoring into a somewhat MVC model: split large feeds.py into
model.py and controller.py
* rename FeedCacheStorage to FeedItemCacheStorage
* factor out getter/setters in the base sqlite class
* remove conn member in sqlite to force use of context manager
* move session and fetching to the feed manager
* rename feeds to feed_manager in main
* allow absolute path in folder setting (Closes: #14)
New features:
* caching: latest feed contents get cached to avoid re-downloading
unchanged feeds. this includes parsing HTTP headers and so on, and
relies on the good behavior of the `cachecontrol` Python module
* Python 3.6-3.8 support
Bugfixes:
* recover from feedparser exceptions (Closes: #964597)
[ Roland Hieber ]
* README: don't let the example config create a folder named '~/Mailbox/'
[ Ian Zimmerman ]
* add --quiet option to silence warnings since --loglevel was broken
Update roundcube package to 1.4.9.
Roundcube Webmail 1.4.9 (2020-09-27)
This is a service update to the stable version 1.4 of Roundcube Webmail.
It contains fixes and general improvements from our issue tracker, mainly
related to email composition and UI oddities in Elastic skin and with the
TinyMCE richtext editor. See the full changelog below.
This version is considered stable and we recommend to update all productive
installations of Roundcube with it.
Please do backup your data before updating!
CHANGELOG
* Fix HTML editor in latest Chrome 85.0.4183.102, update to TinyMCE 4.9.11
(#7615)
* Add missing localization for some label/legend elements in userinfo plugin
(#7478)
* Fix importing birthday dates from Gmail vCards (BDAY:YYYYMMDD)
* Fix restoring Cc/Bcc fields from local storage (#7554)
* Fix jstz.min.js installation, bump version to 1.0.7
* Fix incorrect PDO::lastInsertId() use in sqlsrv driver (#7564)
* Fix link to closure compiler in bin/jsshrink.sh script (#7567)
* Fix bug where some parts of a message could have been missing in a
reply/forward body (#7568)
* Fix empty space on mail printouts in Chrome (#7604)
* Fix empty output from HTML5 parser when content contains XML tag (#7624)
* Fix scroll jump on key press in plain text mode of the HTML editor (#7622)
* Fix so autocompletion list does not hide on scroll inside it (#7592)
upstream changes:
-----------------
2.6: 30 Sep 2020
* [Conf] Add missing symbols
* [Conf] Add missing symbols
* [Conf] Fix fat-fingers typo
* [Conf] Fix wrong comment in options.inc
* [Conf] Neural: Fix the default name for max_trains
* [Conf] Register a known symbol
* [Conf] Spf: Add R_SPF_PERMFAIL symbol
* [CritFix] Arc: Fix ARC validation for chains of signatures
* [CritFix] Distinguish socketpairs between different fuzzy workers
* [CritFix] Fix IDNA dots parsing
* [CritFix] Fix test assertion method
* [CritFix] Fix usage of crypto_sign it should be crypto_sign_detached!
* [Feature] Add BOUNCE rule
* [Feature] Add controller plugins support and selectors plugin
* [Feature] Add maps query method
* [Feature] Add minimal delay to fuzzy storage
* [Feature] Add multiple base32 alphabets for decoding
* [Feature] Add preliminary support of BCH addresses
* [Feature] Add query_specific endpoint
* [Feature] Allow multiple base32 encodings in Lua API
* [Feature] Allow to specify nonces manually
* [Feature] Controller: Allow to pass query arguments to the lua webui plugins
* [Feature] Fuzzy_check: Add gen_hashes command
* [Feature] Fuzzy_check: Add weight_threshold option for fuzzy rules
* [Feature] Implement address retry on connection failure
* [Feature] Improve limits in pdf scanning
* [Feature] Initial support of subscribe command in lua_redis
* [Feature] Lua_cryptobox: Add secretbox API
* [Feature] Lua_text: Add encoding methods
* [Feature] Milter_headers: Allow to activate routines via users settings
* [Feature] PDF: Add timeouts for expensive operations
* [Feature] Preliminary maps addon for controller
* [Feature] Split pdf processing object and output object to allow GC
* [Feature] Support BLIS blas library
* [Feature] Support input vectorisation by recvmmsg call
* [Feature] Support multiple base32 alphabets
* [Feature] add queueid, uid, messageid and specific symbols to selectors [Minor] use only selectors to fill vars in force_actions message
* [Feature] allow variables in force_actions messages
* [Feature] extend lua api
* [Fix] #3249
* [Fix] Allow to adjust neurons in the hidden layer
* [Fix] Another try to fix email names parsing
* [Fix] Arc: Allow to reuse authentication results when doing multi-stage signing
* [Fix] Arc: Fix bug with arc chains verification where i>1
* [Fix] Arc: Sort headers by their i= value
* [Fix] Change neural plugin's loss function
* [Fix] Deal with double eqsigns when decoding headers
* [Fix] Default ANN names in clickhouse
* [Fix] Disable reuseport for TCP sockets as it causes too many troubles
* [Fix] Disable text detection heuristics for encrypted parts
* [Fix] Distinguish DKIM keys by md5
* [Fix] Distinguish type from flags in register_symbol
* [Fix] Dmarc: Unbreak reporting after cf2ae3292ac93da8b6e0624b48a62828a51803c9
* [Fix] Do not flag pre-result of virus scanners as least if action is reject
* [Fix] Do not use GC64 workaround on 32bit platforms, omg
* [Fix] Exclude damaged urls from html parser
* [Fix] Fix FREEMAIL_REPLYTO_NEQ_FROM_DOM
* [Fix] Fix FROM_NEQ_ENVFROM
* [Fix] Fix FWD_GOOGLE rule (#1815)
* [Fix] Fix adding of the empty archive file for gzip
* [Fix] Fix aliases in forged recipients and limit number of iterations
* [Fix] Fix authentication results insertion
* [Fix] Fix calling of methods in selectors
* [Fix] Fix clen length for hiredis...
* [Fix] Fix endless loop if broken arc chain has been found
* [Fix] Fix false - operation
* [Fix] Fix get_urls table invocation
* [Fix] Fix group based composites
* [Fix] Fix headers passing in rspamd_proxy
* [Fix] Fix incomplete utf8 sequences handling
* [Fix] Fix lua_next invocation
* [Fix] Fix lua_parse_symbol_type function logic
* [Fix] Fix multiple listen configuration
* [Fix] Fix occasional encryption of the cached data
* [Fix] Fix parsing boundaries with spaces
* [Fix] Fix passing of methods arguments
* [Fix] Fix poor man allocator algorithm
* [Fix] Fix regexp selector and add flattening
* [Fix] Fix rfc base32 encode ordering (skip inverse bits)
* [Fix] Fix rfc based base32 decoding
* [Fix] Fix sockets leak in the client
* [Fix] Fix storing of the original smtp from
* [Fix] Fix types check and types usage in lua_cryptobox
* [Fix] Fix unused results
* [Fix] Fuzzy_check: Disable shingles for short texts (really)
* [Fix] Ical: Fix identation grammar
* [Fix] Improve part:is_attachment logic
* [Fix] Mmap return value must be checked versus MAP_FAILED
* [Fix] One more fix to skip images that are not urls
* [Fix] Pdf: Support some weird objects with no newline before endobj
* [Fix] Rbl: Fix ignore_defaults in conjunction with ignore_whitelists
* [Fix] Restore support for `for` and `id` parts in received headers
* [Fix] Segmentation fault in contrib/lua-lpeg/lpvm.c on ppc64el
* [Fix] Skip spaces at the boundary end
* [Fix] Slashing fix: fix captures matching API
* [Fix] Spamassassin: Rework metas processing
* [Fix] Store reference of upstream list in upstreams objects
* [Fix] Understand utf8 in content-disposition parser
* [Fix] Unify selectors digest functions
* [Fix] Use `abs` value when checking composites
* [Fix] Use strict IDNA for utf8 DNS names + add sanity checks for DNS names
* [Fix] Use unsigned char and better support of utf8 in ragel parser
* [Fix] add missing selector_cache declaration
* [Project] Add `L` flag for regexps to save start of the match in Hyperscan
* [Project] Add `lower` method to lua_text
* [Project] Add a simple matrix Lua library
* [Project] Add implicit bitcoincash prefix
* [Project] Add linalg ffi library for prototyping
* [Project] Add methods to append data to fuzzy requests
* [Project] Add routine to call a generic lua function
* [Project] Add ssyev method interface
* [Project] Add tensors index method
* [Project] Add text:sub method
* [Project] Allow rspamd_text based selectors
* [Project] Allow to specify re_conditions for regular expressions
* [Project] Attach extensions to the binary fuzzy commands
* [Project] Bitcoin: BTC cash addresses needs some checksum validation
* [Project] Cleanup the redis script
* [Project] Convert bitcoin rules to the new regexp conditions feature
* [Project] Detect memrchr in systems that supports it
* [Project] Do not listen sockets in the main process
* [Project] Implement 'probabilistic' learn mode for ANN
* [Project] Implement BTC polymod in C as it requires 64 bit ops
* [Project] Implement bitcoin cash validation in a proper way
* [Project] Implement extensions logic for fuzzy storage
* [Project] Implement symbols insertion in multiple results mode
* [Project] Lua_text: Add method memchr
* [Project] Neural: Add PCA loading logic
* [Project] Neural: Fix PCA based learning
* [Project] Neural: Fix matrix gemm
* [Project] Neural: Further PCA fixes
* [Project] Neural: Implement PCA in learning
* [Project] Neural: Implement PCA learning
* [Project] Neural: Implement PCA on ANN forward
* [Project] Neural: Implement PCA serialisation
* [Project] Neural: Start PCA implementation
* [Project] Neural: Use C version of scatter matrix producing
* [Project] Preliminary support of lua conditions for regexps
* [Project] Preliminary usage of the reuseport
* [Project] Process composites separately for each shadow result
* [Project] Remove old code
* [Project] Rework scan result functions to support shadow results
* [Project] Rework some more functions to work with shadow results
* [Project] Some more fixes
* [Project] Start results chain implementation
* [Project] Support fun iterators on rspamd_text objects
* [Project] Support multiply, minus and divide operators in expressions
* [Project] Tensor: Move scatter matrix calculation to C
* [Rework] Allow to specify exat metric result when adding a symbol
* [Rework] Change and improve openblas detection and usage
* [Rework] Close listen sockets in main after fork
* [Rework] Further rework of lua urls extraction API
* [Rework] Lua_cryptobox: Allow to store output of the hash function
* [Rework] Lua_task: Add more methods to deal with shadow results
* [Rework] Modernize logging for expressions
* [Rework] Remove empty prefilters feature - we are not prepared...
* [Rework] Remove old FindLua module, disable lua fallback when LuaJIT is enabled
* [Rework] Rework and refactor forged recipients plugin
* [Rework] Rework expressions processing
* [Rework] Rework fuzzy commands processing
* [Rework] Rework url flags handling API
* [Rework] Rework urls extraction
* [Rework] Split operations processing and add more debug logs
* [Rework] Update zstd to 1.4.5
* [Rework] Use google-ced instead of libicu chardet as the former sucks
* [Rework] add alias util:parse_addr for util:parse_mail_address
* [Rework] get rid of util:parse_addr duplicating the util:parse_mail_address, replace where used
* [Rules] Allow prefix for bitcoin cash addresses
* [Rules] More fixes for bitcoin cash addresses decoding
* [Rules] Refactor bleach32 addresses handling
pkgsrc changes:
---------------
* Remove a conditional test for very old and unmaintained releases of
NetBSD. The variable defined is this test seems to be absent from the
pkgsrc tree and pkglint warns about its use.
* Add a LICENSE to fetchmailconf
upstream changes:
-----------------
fetchmail-6.4.12 (released 2020-09-04, 27596 LoC):
# BUG FIXES:
* The README file is now the one from Git again. The makerelease.pl script
used to roll and upload the tarball sometimes clobbered the README file and
replaced its contents by a part of the NEWS file.
---------------------------------------------------------------------------------
fetchmail-6.4.11 (released 2020-08-28, 27596 LoC):
# REGRESSION FIX:
* configure: fetchmail 6.4.9 and 6.4.10 would miss checking for TLS v1.2 and
TLS v1.3 support if AC_LIB_LINKFLAGS came up with something such as
/path/to/libssl.so, rather than -lssl. (For instance on FreeBSD)
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used, for instance,
for mailbox sizes, and misreports sizes of 2 GibiB and beyond.
Fixing this requires C89 compatibility to be relinquished.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
---------------------------------------------------------------------------------
fetchmail-6.4.10 (released 2020-08-27, 27596 LoC):
# REGRESSION FIX:
* configure: fetchmail 6.4.9's configure was unable to pick up OpenSSL
if it wasn't announced by pkg-config, for instance, on FreeBSD.
---------------------------------------------------------------------------------
fetchmail-6.4.9: (not announced by e-mail, withdrawn)
## DOCUMENTATION UPDATE:
* manpage: mention that the SSL/TLS certificate fingerprint uses an MD5 hash.
## CHANGES:
* configure: try to use AC_LIB_LINKFLAGS to obtain proper link flags for
libcrypto and libssl if pkg-config failed.
This is an attempt to fix borderline issues when users building on systems
with obsolete OpenSSL try to use a local newer OpenSSL from a separate
directory.
## NEW TRANSLATION, with thanks to the translator:
* ro: Florentina Mușat [Romanian]
Changelog:
78.3.1
Fixes
Thunderbird crashed after updating to 78.3.0
78.3.0
Changes
OpenPGP: Improved decryption performance with large messages
OpenPGP: Do not show external key UI when disabled by preference
Account setup wizard will now open a popup when connecting to a server with a
self-signed SSL/TLS certificate
Installation of "legacy" MailExtensions now disabled
Reply-To header moved in compose window; now appears under From header
Calendar: Sidebar UI improvements
Fixes
Selecting "Cancel" on the Master Password prompt at startup incorrectly
reported corrupted OpenPGP data
OpenPGP: Creating a new key pair did not automatically select it for use
Dragging & Dropping recipient pills resulted in lost pills when an error was
present
Spellcheck suggestions were unreadable in dark theme
Calendar: Multiple password prompts opened
Linux Distributions: UI was not rendered completely when built without updater
MailExtensions: browser.folders.delete failed on IMAP folders
Various security fixes
Security fixes:
Mozilla Foundation Security Advisory 2020-44
#CVE-2020-15677: Download origin spoofing via redirect
#CVE-2020-15676: XSS when pasting attacker-controlled data into
a contenteditable element
#CVE-2020-15678: When recursing through layers while scrolling, an iterator may
have become invalid, resulting in a potential use-after-free scenario
#CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
Changes:
1.8.12
------
- msmtpd now supports session reuse and improves standards compliance
- Automatic account matching now supports subaddresses. For example,
user+detail@example.com will match account user@example.com.
2020-09-25 Richard Russon <rich@flatcap.org>
* Features
- Compose: display user-defined headers
- Address Book / Query: live sorting
- Address Book / Query: patterns for searching
- Config: Add '+=' and '-=' operators for String Lists
- Config: Add '+=' operator for Strings
- Allow postfix query ':setenv NAME?' for env vars
* Bug Fixes
- Fix crash when searching with invalid regexes
- Compose: Prevent infinite loop of `send2-hook`s
- Fix sidebar on new/removed mailboxes
- Restore indentation for named mailboxes
- Prevent half-parsing an alias
- Remove folder creation prompt for POP path
- Show error if `$message_cachedir` doesn't point to a valid directory
- Fix tracking LastDir in case of IMAP paths with Unicode characters
- Make sure all mail gets applied the index limit
- Add warnings to -Q query CLI option
- Fix index tracking functionality
* Changed Config
- Add `$compose_show_user_headers` (yes)
* Translations
- 100% Czech
- 100% Lithuanian
- Split up usage strings
* Build
- Run shellcheck on hcachever.sh
- Add the Address Sanitizer
- Move compose files to lib under compose/
- Move address config into libaddress
- Update to latest acutest - fixes a memory leak in the unit tests
* Code
- Implement ARRAY API
- Deglobalised the Config Sort functions
- Refactor the Sidebar to be Event-Driven
- Refactor the Color Event
- Refactor the Commands list
- Make ctx_update_tables private
- Reduce the scope/deps of some Validator functions
- Use the Email's IMAP UID instead of an increasing number as index
- debug: log window focus
