to address issues with NetBSD-6(and earlier)'s fontconfig not being
new enough for pango.
While doing that, also bump freetype2 dependency to current pkgsrc
version.
Suggested by tron in PR 47882
# SECURITY FIXES
* for CVE-2012-3482:
NTLM: fetchmail mistook an error message that the server sent in response to
an NTLM request for protocol exchange, tried to decode it, and crashed while
reading from a bad memory location.
Also, with a carefully crafted NTLM challenge packet sent from the server, it
would be possible that fetchmail conveyed confidential data not meant for the
server through the NTLM response packet.
Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
NTLM authentication in case of error.
See fetchmail-SA-2012-02.txt for further details.
Reported by J. Porter Clark.
* for CVE-2011-3389:
SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
against a certain kind of attack against cipher block chaining initialization
vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
Whether this creates an exploitable situation, depends on the server and the
negotiated ciphers.
As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
NOTE that this can cause connections to certain non-conforming servers to
fail, in which case you can set the environment variable
FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting
fetchmail to re-instate the compatibility option at the expense of security.
Reported by Apple Product Security.
For technical details, refer to <http://www.openssl.org/~bodo/tls-cbc.txt>.
See fetchmail-SA-2012-01.txt for further details.
# BUG FIX
* The Server certificate: message in verbose mode now appears on stdout like the
remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
* The GSSAPI-related autoconf code now matches gssapi.c better, and uses
a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
# CHANGES
* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
reference it (to fix the build) and if configured, print a run-time error
that the OS does not support SSLv2. Fixes Debian Bug #622054,
but note that that bug report has a more thorough patch that does away with
SSLv2 altogether.
* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
was dropped). The Creative Commons address was updated.
* The Python-related Makefile.am parts were simplified to avoid an automake
1.11.X bug around noinst_PYTHON, Automake Bug #10995.
* Configuring fetchmail without SSL now triggers a configure warning,
and asks the user to consider running configure --with-ssl.
# WORKAROUNDS
* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
a header request, in the face of message corruption. fetchmail now treats
these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed."
without any header in response to a header request for meeting reminder
messages (with a "meeting.ics" attachment). fetchmail now treats these as
transient errors. Report by John Connett, Patch by Sunil Shetye.
# TRANSLATION UPDATES
* [cs] Czech, by Petr Pisar
* [de] German
* [fr] French, by Frédéric Marchal
* [ja] Japanese, by Takeshi Hamasaki
* [pl] Polish, by Jakub Bogusz
* [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you!
* [vi] Vietnamese, by Trần Ngọc Quân
Changes since version 6.3.20:
- The IMAP client no longer inserts NUL bytes into the last line of a
message when it is not closed with a LF or CRLF sequence. Reported
by Antoine Levitt. As a side effect of the fix, and in order to
avoid a full rewrite, fetchmail will now CRLF-terminate the last
line fetched through IMAP, even if it is originally not terminated
by LF or CRLF. This bears no relevance if your messages end up in
mbox, but adds line termination for storages (like Maildir) that do
not require that the last line be LF- or CRLF-terminated.
Requested by PR#45030.
fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
# SECURITY BUG FIXES
* CVE-2011-1947:
STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
set timeout (default five minutes) now. This was reported missing, with
observed fetchmail freezes beyond a week, by Thomas Jarosch.
SSL-wrapped connections were unaffected by this timeout, so users of older
versions can force ssl-wrapped connections -- if supported by the server --
with the --ssl command line or ssl rcfile option.
See fetchmail-SA-2011-01.txt for further details.
# BUG FIXES
* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
new messages and most of the range searches result in nothing. Instead, split
the long response to make the IMAP driver think that there are multiple lines
of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
there are too many old messages, the logs just get filled without any real
activity. (Sunil Shetye) (suggested by Yunfan Jiang)
* Build: fetchmail now always uses its own MD5 implementation rather than trying
to find a system library with matched header. The library and header variants
found on systems are too diverse, and the code size saving is not worth any
more wasted user or programmer time.
# CHANGES
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
there is no portable way to configure actual timeouts for this mode, and some
systems only support a system-wide timeout setting. fetchmail does not
attempt to tune the time spans of keepalive mode.
# TRANSLATION UPDATES
[cs] Chech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German (Matthias Andree)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
# KNOWN BUGS AND WORKAROUNDS
(this section floats upwards through the NEWS file so it stays with the
current release information - however, it was stuck with 6.3.8 for a while)
* fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* BSMTP is mostly untested and errors can cause corrupt output.
* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail does not track pending deletes over crashes.
* the command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
# ERRATUM NOTICE ISSUED
* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.
# BUG FIXES
* When specifying multiple local multidrop lists, do not lose wildcard flag.
(Affects "user foo is bar baz * is joe here")
* In multidrop configurations, an asterisk can now appear anywhere in the list
of local users, not just at the end.
* In multidrop mode, header parsing is now more verbose in -vv mode, so that it
becomes possible to see which header is used.
* Make --antispam work from command line (these used to work in rcfiles).
Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
documents. Skip validating Mailbox-Names-UTF7.html. Several systems have
broken XHTML 1.1 DTD installations that jeopardize the build.
Reported by Mihail Nechkin against FreeBSD port.
Workaround for 6.3.18: build in a separate directory, i. e:
mkdir build && cd build && ../configure --options-go-here
* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
and Derek Simkowiak via the fetchmail-users@ mailing list.
* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
server capabilities do not show support for upgradation to TLS.
To use this, configure --sslproto tls1. (Sunil Shetye)
* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
Yasin Malli to fetchmail-users@ 2010-12-10.
Note that fetchmail continues to expect literals as FETCH response for now.
# DOCUMENTATION
* The manual page now links to IANA for GSSAPI service names.
# TRANSLATION UPDATES
[cs] Czech (Petr Pisar)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[pl] Polish (Jakub Bogusz)
fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
* Fetchmail now only accepts wildcard certificate common names and subject
alternative names if they start with "*.". Previous versions would accept
wildcards even if no period followed immediately.
* Fetchmail now disallows wildcards in certificates to match domain literals
(such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
The test is overly picky and triggers if the pattern (after skipping the
initial wildcard "*") or domain consists solely of digits and dots, and thus
matches more than needed.
* Fetchmail now disallows wildcarding top-level domains.
# CRITICAL BUG FIXES AND REGRESSION FIXES
* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
functions, as an effect of an undocumented Solaris MD5 fix.
This caused all MD5-related functions to malfunction if, for instance,
libmd5.so was installed on other operating systems as part of libwww on
machines where long isn't 32-bits, i. e. usually on 64-bit computers.
Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
--sslfingerprint was specified. This is an omission from an SSL usability
change made in 6.3.17.
Fixes Debian Bug#580796 reported by Roland Stigge.
* Fetchmail will now apply timeouts to the authentication stage.
This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
Reported missing by Thomas Jarosch.
* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
errors, such as no or unsuitable credentials.
It now sends an asterisk on a line by its own, as required in SASL.
This fixes protocol synchronization issues that cause Authentication
failures, often observed with kerberized MS Exchange servers.
Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.
# BUG FIXES
* Fetchmail will no longer print connection attempts and errors for one host
in "silent" and "normal" logging modes, unless all connections fail. This
should reduce irritation around refused-connection logging if services are
only on an IPv4 socket if the host also supports IPv6. Often observed as
connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
all connect errors and only report them if all of them fail.
* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
credentials. However, if GSSAPI authentication is requested explicitly,
fetchmail will always try it.
* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
* The manual page clearly states that --principal is for Kerberos 4 only, not
for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
# CHANGES
* When encountering incorrect headers, fetchmail will refer to the bad-header
option in the manpage.
Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
* Fetchmail now decodes and reports GSSAPI status codes upon errors.
* Fetchmail now autoprobes NTLM also for POP3.
* The Fetchmail FAQ has a new item #R15 on authentication failures.
# INTERNAL CHANGES
* The common NTLM authentication code was factored out from pop3.c and imap.c.
# TRANSLATION UPDATES
[zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German
[it] Italian (Vincenzo Campanella)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
- Security fixes for CVE-2009-2666, CVE-2007-4565 and CVE-2008-2711.
- Fetchmail no longer drops permanently undelivered messages by default,
to match historic documentation. It does this by adding a new
"softbounce" option.
- A lot bug fixes and improvements.
Changes since version 6.3.6:
- Make the APOP challenge parser more distrustful and have it reject
challenges that do not conform to RFC-822 msg-id format, in the hope
to make mounting man-in-the-middle attacks (MITM) against APOP a bit
more difficult. (CVE-2007-1558)
- Fix pluralization of oversized-message warning mails.
- Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
"recommended:" in bold.
- Repoll immediately if a protocol error happens during the authentication
attempt after a failed opportunistic TLS upgrade.
- Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes
section.
- If SOCKS support was compiled in, add 'socks' to the feature_options
Python list emitted in --configdump.
- Do not crash with a null pointer dereference when opening the BSMTP file
fails. Improve error checking and reporting.
- Make BSMTP output actually work, it would persistently fail with SOCKET
error after writing the first header.
- Fix KPOP.
- Fix repoll when server disconnects after opportunistic TLS failed for
POP3.
The list of changes since version 6.2.5.5 is too large to mention here.
The new version provides a fix for the vulnerability reported in the
fetchmail-SA-2006-02.txt advisory.
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Several changes are involved since they are all interrelated. These
changes affect about 1000 files.
The first major change is rewriting bsd.builtin.mk as well as all of
the builtin.mk files to follow the new example in bsd.builtin.mk.
The loop to include all of the builtin.mk files needed by the package
is moved from bsd.builtin.mk and into bsd.buildlink3.mk. bsd.builtin.mk
is now included by each of the individual builtin.mk files and provides
some common logic for all of the builtin.mk files. Currently, this
includes the computation for whether the native or pkgsrc version of
the package is preferred. This causes USE_BUILTIN.* to be correctly
set when one builtin.mk file includes another.
The second major change is teach the builtin.mk files to consider
files under ${LOCALBASE} to be from pkgsrc-controlled packages. Most
of the builtin.mk files test for the presence of built-in software by
checking for the existence of certain files, e.g. <pthread.h>, and we
now assume that if that file is under ${LOCALBASE}, then it must be
from pkgsrc. This modification is a nod toward LOCALBASE=/usr. The
exceptions to this new check are the X11 distribution packages, which
are handled specially as noted below.
The third major change is providing builtin.mk and version.mk files
for each of the X11 distribution packages in pkgsrc. The builtin.mk
file can detect whether the native X11 distribution is the same as
the one provided by pkgsrc, and the version.mk file computes the
version of the X11 distribution package, whether it's built-in or not.
The fourth major change is that the buildlink3.mk files for X11 packages
that install parts which are part of X11 distribution packages, e.g.
Xpm, Xcursor, etc., now use imake to query the X11 distribution for
whether the software is already provided by the X11 distribution.
This is more accurate than grepping for a symbol name in the imake
config files. Using imake required sprinkling various builtin-imake.mk
helper files into pkgsrc directories. These files are used as input
to imake since imake can't use stdin for that purpose.
The fifth major change is in how packages note that they use X11.
Instead of setting USE_X11, package Makefiles should now include
x11.buildlink3.mk instead. This causes the X11 package buildlink3
and builtin logic to be executed at the correct place for buildlink3.mk
and builtin.mk files that previously set USE_X11, and fixes packages
that relied on buildlink3.mk files to implicitly note that X11 is
needed. Package buildlink3.mk should also include x11.buildlink3.mk
when linking against the package libraries requires also linking
against the X11 libraries. Where it was obvious, redundant inclusions
of x11.buildlink3.mk have been removed.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
Based on pr pkg/22650 by Adrian Portelli.
Changes since 6.2.3:
* Updated German, Spanish, Catalan, and Turkish translations.
* IDLE is now supported using no-ops even if the server doesn't support
the IMAP IDLE extension.
* Sunil Shetye's patch to do better password shrouding.
* Sunil Shetye's bug-fix rollup patch.
* Introduce a translation item for the word "seen".
* Back out the hack to deal with lack of byte stuffing on some POP3 servers.
* Thomas Steudten's patch to improve SMTP handling of 550 errors.
Changes since 6.2.2:
* German, Danish, Spanish, and Turkish translations updated.
* Brian Sammon's patch to deal with malformed message lines containiing NULs.
* Fai's patch to ignore all but the first Return-Path (some spams have
more than one of these).
* Benjamin Drieu's ptch to properly byte-stuff when talking to BSNTP.
Fixes Debian bug #184469.
* Benjamin Drieu's patch to enable auth=cram-md5.
Fixes Debian bug #185232.
* Sunil Shetye's configure.in patch to avoid spurious search order messages
from GCC.
* Header-reading code now copes better with lines ending in \n only.
* Elias Israel's patches for POP3 NTLM support and dealing with byte-
stuffing failures at socket level.
Changes since last version:
* Sunil Shetye's patch to improve behavior in empty messages.
* Conform to RFC2595; reissue capability probes after successful
STARTTLS negotiation.
* Sunil's patch to make handling of failed STARTTLS more graceful.
* Sunil's JF2 fix patch for .fetchmailrc security fix.
* Christophe GIAUME <christophe@giaume.com> finished the implementation
of RFC2177 IDLE.
* Jason Tishler's fix patch for Cygwin.
* Support ssh-style authentication in POP3
* Fix for Debian bug #108977, clean up config file evaluation,
by Benjamin Drieu.
* Updated German, Turkish, Spanish, and Danish translation files.
* Integrated Sunil Shetye's patch to make mark_seen an explicit method.
* Removed FAQ warning about GMX and associated fetchmailconf check,
we have a report that its servers are conformant now.
* Another Sunil patch to fix a minor bug in bouncemail generation.
Changes since version 6.1.2:
- Applied Steffen Esser's fix for a buffer-overflow bug in rfc822.c
- Updated Danish, German, and Turkish translation files.
- Sunil Sheye's SMTP timeout patch.
- Updated Turkish, Danish, German, Spanish, Catalan po files.
- Added Slovak support.
- Configure.in update for autoconf 2.5 (Art Haas).
- Be case-insensitive when looking for IMAP responses.
- Fix logout-after-idle-delivery bug (Sunil Shetye).
- Sunil Shetye's patch to bulletproof end-of-header detection.
- Sunil's fix for the STARTTLS problem -- repoll if TLS nabdshake
fails. The attenmpt to set up STARTTLS can be suppressed with 'sslproto ""'.
changes since 6.1.0:
fetchmail-6.1.2 (Thu Oct 31 11:41:02 EST 2002), 22135 lines:
* Jan Klaverstijn's verbosity-lowering patch.
* Updated Turkish, German, Catalan, and Danish translation files.
* Fix processing of POP3 messages with missing bodies.
* Minor fixes by Sunil Shetye: fix generation of auth fail note, handle
unexpected SIGALRM, plug memory leak, handle lines beginning with '\0',
try to bulletproof error handling against read failures.
fetchmail-6.1.1 (Fri Oct 18 14:53:51 EDT 2002), 22087 lines:
* OTP fix patches from Stanislav Brabec <utx@penguin.cz>
* fix patch for writing antispam capability correctly in conf.c.
* Fix patches for Debian bugs #162571, #156592.
* Correction to manpage re -b and qmail.
* Patch to disable use of STLS if auth passwd is specified.
* Fix specfile generation to handle SSL correctly.
* New Danish, Turkish, and Catalan translation files.
* Improved ODMR debug messages.
* IMAP efficiency hack; don't fetch sizes unless needed.
* Detect and rewrite invalid return paths beginning with @.
* Fix for subtle freeing bug that suppressed information in some bounce msgs.
* Newline fix patches for internationalization files.
* Fix reversed test guarding authentication-failure warnings.
* Fix POP3 breakage starting at 5.9.14.
Because of the recent vulnerability, it is strongly encouraged to update
(http://security.e-matters.de/advisories/032002.html).
Thanx to Alan Post <apost@interwoven.com> for giving me a note.
fetchmail-6.1.0 (Sun Sep 22 18:31:23 EDT 2002), 21999 lines:
* Updated French translation.
* Stefan Esser's fix for potential remote vulnerability in multidrop mode.
This is an important security fix!
fetchmail-6.0.0 (Tue Sep 17 19:48:25 EDT 2002), 21972 lines:
* Applied Matt Kraai's fix for minor Debian bug #144539.
* Nerijus Baliunas's patch to support STARTTLS over IMAP.
* More cleanups and minor bugfixes from Sunil Shetye.
* Default antispam-response list is now empty.
* Updated de and po translations,
fetchmail-5.9.14 (Fri Sep 6 05:03:25 EDT 2002), 21932 lines:
* Sunil Shetye's patch to eliminate multiple bounces.
* Moritz Jodeit <moritz@jodeit.org>'s patch for re-exec with no args.
* Sunil Shetye's patch to solve the re-exec problem with relative files.
* Cygwin portability patch (use ROOT_UID) from Jason Tishler.
* Workaround for the CAPA error problem is documented in the FAQ.
* Updated Polish, Danish, and Catalan translations.
* Sunil Shetye's patch to improve CAPA error handling.
* Sunil Shetye's patch to improve handling of unreadable boxes in POP3.
* Berkeley port fix for Kerberos IV.
extension Makefile fragments, because they really don't have anything to
do with the buildlink[12] frameworks. Change all the Makefiles that use
application.buildlink.mk and extension.buildlink.mk to use application.mk
and extension.mk instead.
