when EXTRAAUTHENTICATORS is passed as MAKE_FLAGS, it ends up being
doubled, mkauths then generates auths.c with doubled auth_gss.c and
auth_mit.c twice, triggering duplicate definition errors with clang
9.0.0; pass via MAKE_ENV instead
bump PKGREVISION
This hash_lookup() is internal function of imap but conflict with other
package (converters/php-recode) and cause php binary to crash.
Bump PKGREVISION.
Set LICENSE while here.
imap-2007f fixes a couple bugs.
Fix for RFC 4959 Initial Client Response auth failures noted first by
MacOSX Lion Mail users.
Adjust tcp_open.c:tcp_socket_open to make it a little more useful by adding
a write file descriptor test to the select in the case that the open
timeout is set.
In osdep/unix/env_unix.c:create_path there was a printf that should have
been an sprintf. Doesn't matter on modern systems.
pam.buildlink3.mk. This is wrong and a hack, but it gets the package
building again in my test environment. Someone please revert this and
do it right.
Currently there seems to be logic for enabling PAM in the build or not
on various platforms depending on whether native PAM appears to exist.
This is higly bogus; the package should be cleaned up so it either
depends on PAM or doesn't, regardless of platform, or preferably makes
it a build option.
XXX.
This version is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users
plus a security fix for users of the RFC822BUFFER routines.
Approved by Thomas Klausner.
- The shared library major version because it is no longer compatible
with old binaries.
- The package revision because of the above change.
- The minimum API and ABI versions because new binary packages are no
longer compatible with an old "imap-uw" package.
- security fix for users of tmail or dmail.
- bug fixes and reliability improvements.
- A new function, utf8_csvalidmap(), has been added for the benefit of
Alpine to use in examining UTF-8 text and determining efficiently
whether it can be downgraded to a legacy charset. If you develop an
MUA, this may be useful for you too, although you'll have to read the
source code to see how to use it. The purpose of the "not-CJK" bit is
to prevent messages being downgraded to a CJK charset if all they have
in that charset are some special punctuation.
This update address the security vulnerability reported in SA32483.
version of pine in mail/pine. I've switched to mail/alpine as MUA, and
mail/dovecot for imap service, and so should you.
This package should be updated to the current version of imap-uw. Although
we are _not_ vulnerable to the current secunia advisory for imap-uw -- we do
not install tmail or dmail with the setuid bit set, nor advise users to
configure their mta to pass untrusted mailbox names to dmail on the command
line (who would do this?), there will eventually be a vulnerability which
does affect this old version.
However, as long as we support mail/pine, upgrading is not quite
straightforward -- the last version of mail/pine links against the version
of imap-uw currently included herein, and an upgrade would require testing.
that duse the c-client library do not have their callback function symbols
stripped at install time. Fixes the following:
PR pkg/34031
and indicates that this need not be reopened:
PR pkg/35592
also bump PKGREVISION and BUILDLINK_ABI_DEPENDS
Updated: 14 June 2007
imap-2006j is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 5 June 2007
imap-2006i is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
imapd now supports the CHILDREN and ESEARCH extensions.
imapd's attempt to return COPYUID/APPENDUID information for a traditional
UNIX (and MMDF) format mailbox when the mailbox is open by another process
has been declared to be a failure and is now revoked. It was subject to a
timing race, loss of which involved an expensive reset of the mailbox's UID
regime. Any imapd COPY or APPEND to a traditional UNIX or MMDF format that
is open by some other process will now no longer return COPYUID/APPEND.
Although this is technically in violation of RFC 4315, there is a loophole
in that document and the timing race/performance problem is worse.
Updated: 4 April 2007
imap-2006h is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 30 March 2007
imap-2006g is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 30 January 2007
imap-2006f is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
For the benefit of multi-threaded applications, use of strtok() has been
abolished in the c-client library. imapd and ipop3d stuff use it though.
The TOPS-20 and VAX/VMS ports still use strtok() since they don't use UNIX
threads.
This version has been test-built on Linux, Mac OS X, NeXT, Windows XP,
TOPS-20, and VAX/VMS. This will probably be the last test-build on VAX/VMS
since the system I use for that purpose is being shut down. I have no way
to test-build on DOS, legacy Mac OS (OS 9 and earlier), OS/2, or Windows CE;
and the builds on those systems are probably broken.
Updated: 26 January 2007
imap-2006e is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 6 December 2006
imap-2006d is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
The decomposition mapping, title-case mapping, and character widths tables
have been updated to comply with the Unicode 5.0 standard.
Prototypes for the utf8aux.c functions have been moved to a new utf8aux.h.
The general c-client modules now include c-client.h instead of the individual
files. Use of c-client.h instead of individual include files insulates
against future shuffling of include files.
Updated: 23 October 2006
imap-2006c is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
By popular request, if a user has a mix (or other dual-use) format INBOX,
it will no longer be listed as \NoInferiors. It's a bad idea to depend
upon this due to the case ambiguity issue, but it's there.
Updated: 26 September 2006
imap-2006b is a maintenance release, consisting entirely of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 15 September 2006
imap-2006a is a maintenance release, consisting entirely of bugfixes to
problems discovered in the release that affected a small number of users.
If it is necessary to build IPv4-only on one of the ports that has IPv6
preconfigured (ldb, lfd, lmd, lrh, lsu, osx, oxp), this can be done by
using IP6=4. You can't do IP=4 in the build command directly since these
ports set IP themselves; however, now instead of setting IP=6 they now set
IP=$(IP6).
Updated: 30 August 2006
imap-2006 is a major release. Programs written for imap-2004g should
build with this version with minor or no modification. imap-2005 was not
released except as development snapshots.
imap-2006 contains major extensions to its Unicode support. Searching and
sorting are now done with strings canonicalized to titlecase and decomposed
form. Among other things, this means that Latin letters with diacriticals
will now sort with the basic Latin letter, and case-independent searching of
such letters (e.g., German umlauts) now works. Previously, sorting was done
strictly by Unicode codepoint, and case-independence only worked with ASCII.
imapd now supports the UIDPLUS extension for mailboxes in unix, mmdf, mbx, mx,
and mix formats. UID EXPUNGE is fully implemented. Note that UIDPLUS is not
supported in the little-used drivers (mh, mtx, tenex) in which meaningful
APPENDUID/COPYUID data can not be returned. Refer to bugs.txt for more
details.
The new mix format is a dual-use mailbox format designed for performance and
reliability with large mailboxes. mix is documented in file mixfmt.txt.
SSL/TLS certificate validation on UNIX now checks the alternative names in the
certificate if the CN does not match.
The new /tls-sslv23 flag in a mailbox name causes a TLS session to use the
(incorrect) SSLv23 client method instead of the TLSv1 client method. Some
broken servers use the SSLv23 server method, and this flag works around that
problem. WARNING: use of this flag will cause TLS negotiation to fail with
a server which uses the proper TLSv1 server method. Additionally, there are
known security risks in SSLv2; so users should be suspicious if this switch
suddenly becomes necesary.
The silly mailbox flag combination /ssl/tls is now rejected as an invalid
remote specification. Previous versions tried to negotiate TLS over an SSL
session; even if the server permitted such a thing it couldn't work.
The memory management of several drivers has been redesigned to consume less
memory and hopefully be faster.
The private.data member of the MESSAGECACHE (elt) has been replaced with
a union that contains private.spare.data and private.spare.ptr, the latter
being a pointer.
A new FT_RETURNSTRINGSTRUCT flag has been added for mail_fetch_body() and
mail_fetch_text() calls. If this flag is set, *and* if the function returns
NIL, then the requested string data is available on a stringstruct on
stream->private.string. This is a special hack for the IMAP and POP servers
and is subject to incompatible change. The result is a major performance
improvement in the servers with the mbx driver, particularly with large
messages.
if "ssl" is a package option.
* Stop the abuse of BUILD_TARGET and use MAKE_FLAGS instead. Also,
use OPSYSVARS to simplify the specification of the correct BUILD_TARGET
for each platform.
* Make use of the EXTRASPECIALS variable used by imap makefiles to pass
special MAKE_FLAGS settings through to all recursive make processes.
This gets rid of some MAKE_ENV statements.
* Split off the special alpha-codegen hack into a hacks.mk file.
* Do man page fixups at post-build time, not post-extract time. This
leaves the files pristine for possible patching.
* Add back the special handling if IMAP_UW_MAILSPOOLHOME is defined.
It was accidentally removed in patch-am when the whoson modifications
were added. Move the modifications to the configure phase instead
of post-patch so that the modifications aren't accidentally picked
up by mkpatches.
* Instead of listing each Makefile that needs the sed modification
s/c-client.a/libc-client.la/ and modifying them at post-extract
time, simply create patches for them.
* Instead of listing each header file to be installed, just derive
the list from the PLIST.
* Make the libtoolification a bit more transparent by patching libtool
references directly into the imap makefiles.
* Drop the -limapuw -> -lc-client buildlink transform that was only
needed for much older versions of the imap-uw package, and stop
installing libimapuw.*. All dependents of imap-uw already correctly
use -lc-client.
* Fix the handling of the kerberos package option so that we can use
the pkgsrc Kerberos 5 packages instead of only using the native
ones.
* Properly document the options.mk file.
Bump the PKGREVISION for the libimapuw.* changes and for the
IMAP_UW_MAILSPOOLHOME fixes. The rest of the changes are all
pkgsrc-related and don't really affect the binary package.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
"A vulnerability in UW-imapd can be exploited by malicious users to
cause a DoS (Denial of Service) or compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the
"mail_valid_net_parse_work()" function when copying the user supplied
mailbox name to a stack buffer. This can be exploited to cause a
stack-based buffer overflow via a specially crafted mailbox name that
contains an single opening double-quote character, without the
corresponding closing double-quote.
Successful exploitation allows arbitrary code execution, but requires
valid credentials on the IMAP server."
http://secunia.com/advisories/17062/
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933
Patch from 2004g.
