This version is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users
plus a security fix for users of the RFC822BUFFER routines.
Approved by Thomas Klausner.
- security fix for users of tmail or dmail.
- bug fixes and reliability improvements.
- A new function, utf8_csvalidmap(), has been added for the benefit of
Alpine to use in examining UTF-8 text and determining efficiently
whether it can be downgraded to a legacy charset. If you develop an
MUA, this may be useful for you too, although you'll have to read the
source code to see how to use it. The purpose of the "not-CJK" bit is
to prevent messages being downgraded to a CJK charset if all they have
in that charset are some special punctuation.
This update address the security vulnerability reported in SA32483.
Updated: 14 June 2007
imap-2006j is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 5 June 2007
imap-2006i is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
imapd now supports the CHILDREN and ESEARCH extensions.
imapd's attempt to return COPYUID/APPENDUID information for a traditional
UNIX (and MMDF) format mailbox when the mailbox is open by another process
has been declared to be a failure and is now revoked. It was subject to a
timing race, loss of which involved an expensive reset of the mailbox's UID
regime. Any imapd COPY or APPEND to a traditional UNIX or MMDF format that
is open by some other process will now no longer return COPYUID/APPEND.
Although this is technically in violation of RFC 4315, there is a loophole
in that document and the timing race/performance problem is worse.
Updated: 4 April 2007
imap-2006h is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 30 March 2007
imap-2006g is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 30 January 2007
imap-2006f is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
For the benefit of multi-threaded applications, use of strtok() has been
abolished in the c-client library. imapd and ipop3d stuff use it though.
The TOPS-20 and VAX/VMS ports still use strtok() since they don't use UNIX
threads.
This version has been test-built on Linux, Mac OS X, NeXT, Windows XP,
TOPS-20, and VAX/VMS. This will probably be the last test-build on VAX/VMS
since the system I use for that purpose is being shut down. I have no way
to test-build on DOS, legacy Mac OS (OS 9 and earlier), OS/2, or Windows CE;
and the builds on those systems are probably broken.
Updated: 26 January 2007
imap-2006e is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 6 December 2006
imap-2006d is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
The decomposition mapping, title-case mapping, and character widths tables
have been updated to comply with the Unicode 5.0 standard.
Prototypes for the utf8aux.c functions have been moved to a new utf8aux.h.
The general c-client modules now include c-client.h instead of the individual
files. Use of c-client.h instead of individual include files insulates
against future shuffling of include files.
Updated: 23 October 2006
imap-2006c is a maintenance release, consisting primarily of bugfixes to
problems discovered in the release that affected a small number of users.
By popular request, if a user has a mix (or other dual-use) format INBOX,
it will no longer be listed as \NoInferiors. It's a bad idea to depend
upon this due to the case ambiguity issue, but it's there.
Updated: 26 September 2006
imap-2006b is a maintenance release, consisting entirely of bugfixes to
problems discovered in the release that affected a small number of users.
Updated: 15 September 2006
imap-2006a is a maintenance release, consisting entirely of bugfixes to
problems discovered in the release that affected a small number of users.
If it is necessary to build IPv4-only on one of the ports that has IPv6
preconfigured (ldb, lfd, lmd, lrh, lsu, osx, oxp), this can be done by
using IP6=4. You can't do IP=4 in the build command directly since these
ports set IP themselves; however, now instead of setting IP=6 they now set
IP=$(IP6).
Updated: 30 August 2006
imap-2006 is a major release. Programs written for imap-2004g should
build with this version with minor or no modification. imap-2005 was not
released except as development snapshots.
imap-2006 contains major extensions to its Unicode support. Searching and
sorting are now done with strings canonicalized to titlecase and decomposed
form. Among other things, this means that Latin letters with diacriticals
will now sort with the basic Latin letter, and case-independent searching of
such letters (e.g., German umlauts) now works. Previously, sorting was done
strictly by Unicode codepoint, and case-independence only worked with ASCII.
imapd now supports the UIDPLUS extension for mailboxes in unix, mmdf, mbx, mx,
and mix formats. UID EXPUNGE is fully implemented. Note that UIDPLUS is not
supported in the little-used drivers (mh, mtx, tenex) in which meaningful
APPENDUID/COPYUID data can not be returned. Refer to bugs.txt for more
details.
The new mix format is a dual-use mailbox format designed for performance and
reliability with large mailboxes. mix is documented in file mixfmt.txt.
SSL/TLS certificate validation on UNIX now checks the alternative names in the
certificate if the CN does not match.
The new /tls-sslv23 flag in a mailbox name causes a TLS session to use the
(incorrect) SSLv23 client method instead of the TLSv1 client method. Some
broken servers use the SSLv23 server method, and this flag works around that
problem. WARNING: use of this flag will cause TLS negotiation to fail with
a server which uses the proper TLSv1 server method. Additionally, there are
known security risks in SSLv2; so users should be suspicious if this switch
suddenly becomes necesary.
The silly mailbox flag combination /ssl/tls is now rejected as an invalid
remote specification. Previous versions tried to negotiate TLS over an SSL
session; even if the server permitted such a thing it couldn't work.
The memory management of several drivers has been redesigned to consume less
memory and hopefully be faster.
The private.data member of the MESSAGECACHE (elt) has been replaced with
a union that contains private.spare.data and private.spare.ptr, the latter
being a pointer.
A new FT_RETURNSTRINGSTRUCT flag has been added for mail_fetch_body() and
mail_fetch_text() calls. If this flag is set, *and* if the function returns
NIL, then the requested string data is available on a stringstruct on
stream->private.string. This is a special hack for the IMAP and POP servers
and is subject to incompatible change. The result is a major performance
improvement in the servers with the mbx driver, particularly with large
messages.
that all library dependencies are picked up. Fixes the build of pine
when imap-uw has been built with the kerberos option. No revision bump
as doesn't change the default build.
if "ssl" is a package option.
* Stop the abuse of BUILD_TARGET and use MAKE_FLAGS instead. Also,
use OPSYSVARS to simplify the specification of the correct BUILD_TARGET
for each platform.
* Make use of the EXTRASPECIALS variable used by imap makefiles to pass
special MAKE_FLAGS settings through to all recursive make processes.
This gets rid of some MAKE_ENV statements.
* Split off the special alpha-codegen hack into a hacks.mk file.
* Do man page fixups at post-build time, not post-extract time. This
leaves the files pristine for possible patching.
* Add back the special handling if IMAP_UW_MAILSPOOLHOME is defined.
It was accidentally removed in patch-am when the whoson modifications
were added. Move the modifications to the configure phase instead
of post-patch so that the modifications aren't accidentally picked
up by mkpatches.
* Instead of listing each Makefile that needs the sed modification
s/c-client.a/libc-client.la/ and modifying them at post-extract
time, simply create patches for them.
* Instead of listing each header file to be installed, just derive
the list from the PLIST.
* Make the libtoolification a bit more transparent by patching libtool
references directly into the imap makefiles.
* Drop the -limapuw -> -lc-client buildlink transform that was only
needed for much older versions of the imap-uw package, and stop
installing libimapuw.*. All dependents of imap-uw already correctly
use -lc-client.
* Fix the handling of the kerberos package option so that we can use
the pkgsrc Kerberos 5 packages instead of only using the native
ones.
* Properly document the options.mk file.
Bump the PKGREVISION for the libimapuw.* changes and for the
IMAP_UW_MAILSPOOLHOME fixes. The rest of the changes are all
pkgsrc-related and don't really affect the binary package.
"A vulnerability in UW-imapd can be exploited by malicious users to
cause a DoS (Denial of Service) or compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the
"mail_valid_net_parse_work()" function when copying the user supplied
mailbox name to a stack buffer. This can be exploited to cause a
stack-based buffer overflow via a specially crafted mailbox name that
contains an single opening double-quote character, without the
corresponding closing double-quote.
Successful exploitation allows arbitrary code execution, but requires
valid credentials on the IMAP server."
http://secunia.com/advisories/17062/
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933
Patch from 2004g.
Changes (note that relnotes say -2004d, but it is indeed -2004e):
=====
imap-2004d is a maintenance release, released concurrently with Pine
4.63, and consists primarily of bugfixes
There is now a workaround for RedHat breaking flock(). However, since
RedHat has said that they don't support flock(), there is no guarantee
that they won't break it in the future. So you may want to consider some
other Linux distribution or BSD instead. See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123415
for the gruesome details.
There are no user-visible functional enhancements in this version.
=====
OTHER CHANGE: Multiple newsrc and MSA support needed by Pine 4.63.
imap-2004c:
fixes to quoted-printable encoding and CRAM-MD5 authentication.
NNTP proxy in imapd now supports the LIST and LSUB commands.
imap-2004b:
There are new ports for Solaris with Blastwave Community Open
Source Software (gcs) and Mandrake Linux (lmd).
SET_SNARFINTERVAL now controls how frequently local drivers
will move new mail from the mail spool as well as from a
maildrop. Maildrops are still tied to a minimum interval of
1 minute, but there is now no minimum for the spool file.
Character set conversions now map non-breaking space to space
if the destination character set doesn't have nbsp. JIS Roman
yen sign is now mapped to Unicode yen sign.
* maintenance release, consisting primarily of critical bugfixes
* now has a supported NNTP proxy capability
* OSF/1 port (Digital UNIX, Tru64) now uses flocksim instead of flcksafe
* The unix[nt] and mmdf drivers now prevent mail_append() from writing Status:,
X-Status:, X-UID, X-IMAP[base]:, and X-Keywords: header lines to a
traditional UNIX or MMDF format mailbox
* mailutil has three new commands: delete, rename, and prune
* IPv6 support now exists for UNIX and W2K
* The NNTP driver now supports NNTP SASL and TLS
* imapd now supports the LITERAL+ and SASL-IR initial-response extensions
* The IMAP driver has some additional checks to reduce the amount of network
traffic, including executing "silly searches" (searches of sequence numbers
only) locally
* The IMAP, POP, SMTP, and NNTP drivers now have diagnostic code to provide
better information about servers which violate SASL's empty challenge
requirements (e.g. with the PLAIN mechanism).
* There is a new mail_fetch_overview_sequence() function which is like
mail_fetch_overview() but takes a sequence number string as an argument.
There should have been a flags argument and FT_UID bit as in all the other
mail_fetch_???() functions but compatibility with the past... :-(
* The overview_t callback (from mail_fetch_overview()) now has a fourth
argument which contains the message sequence number (as opposed to the UID
which is in the second argument). It turned out that some applications were
calling mail_msgno() (which can be moderately expensive) to get the sequence
number, and c-client already knew it.
* Many declarations which are completely internal to a driver have been removed
from the driver .h file, and in those cases where there are no external
declarations left the .h file has been eliminated entirely. As part of this,
the mbox driver routines are now incorporated with the unix driver routines
as opposed to being a separate file. The mbox driver still needs to be lunk
in order to get the mbox functionality.
imap-2002e is a minor release, released concurrently with Pine 4.57, and
contains primarily bugfixes. Programs written for imap-2002d should build
with this version without modification.
The NNTP client code now tries to perform better with legacy NNTP servers
which do not comply with the current NNTP protocol specification draft, most
notably Netscape Collabra.
Delivery notifications now work reliably with SMTP servers that support it.
The following changes are primarily of concern to developers and power users:
There is a "limited advertise" option in env_unix.c which, if set, will only
advertise the user's own namespace and the #shared/ namespace.
It is now possible to build the IMAP toolkit with a separate SSL KEY file
from the certificate file (SSLKEYS vs. SSLCERTS).
A new BODY structure element, sparep, is available for the main program to
use as a pointer for its own purposes; as well as a SET_FREEBODYSPAREP
function, similar to SET_FREEENVELOPESPAREP, SET_FREEELTSPAREP, etc.
imap-2002c is a minor release, released concurrently with Pine 4.55, and
contains primarily bugfixes. Programs written for imap-2002 will build
with this version without modification
imap-2002d is a minor release, released concurrently with Pine 4.56, and
contains primarily bugfixes. Programs written for imap-2002 should build
with this version without modification, with one exception. That exception
is the ngbogus envelope flag, which stopped being used in imap-2002c and is
now gone for good.
See RELNOTES for additional information
imap-2002b is a maintenace release, released concurrently with Pine 4.52,
and contains only bugfixes. Programs written for imap-2002 will build with
this version without modification.
Drivers which do not announce new mail are now indicated by the DR_NONEWMAIL
driver flag. Driver which do not announce new mail when read-only are now
indicated by the DR_NONEWMAILRONLY flag.
There are no user-visible functional enhancements in this version.
occurred because gss_import_name() was segfaulting if /etc/krb5.conf
was not found. To fix it, I swapped the krb5_init_context() and
the gss_import_name() calls, since krb5_init_context() will fail
if krb5 is not configured and I can fail appropriately.
I also changed slightly how the documentation is installed by the
main Makefile, because the ${CP} was relying on the non-existence
of the target directory.
* Updated buildlink.mk as the new version has some new #defines in the .h
file (and e.g. pine won't build against the old version)
Updated: 2 November 2001
imap-2001a is a maintenance release, consisting primarily of bugfixes
including some critical bugfixes to crash and denial of service problems.
Programs written for imap-2001 will build with this version without
modification.
The following new facilities have also been added:
The new /norsh switch in mailbox names provides a more intuitive way of
disabling rsh-IMAP than the existing :143 or setting the rsh-timeout to 0.
Passwords are no longer returned in mm_dlog() callbacks unless the
application sets the SET_DEBUGSENSITIVE parameter.
The SET_NETFSSTATBUG parameter allows an application to force the
traditional UNIX mailbox driver to close and reopen the mailbox at ping
time. This is EXTREMELY inefficient, and should only be used to access
files stored on AFS and old NFS systems.
The ISO 8859 and Windows conversion tables have been updated to comply
with Unicode 3.1, and the KOI8-R table has been verified as compliant with
Unicode 3.1.
The SPECIALS mechanism for passing parameters to the lowest level Makefile
has been updated to be more general. See the next item for why you might
care.
New lrh port to build on Red Hat Linux 7.2, with pre-set definitions for
the places where Red Hat has placed Kerberos and SSL. It's actually just
the lnp port with SPECIALS defined accordingly. You may want to use it as
a model if your system needs such definitions. Note that SPECIALS is
primarily for IMAP toolkit (and Pine) purposes, and that user settings
should use EXTRASPECIALS instead.
* Bugfixes
* SSL is now fully integrated into the IMAP toolkit
* Full client and server TLS support
* The server certificate must be signed by a trusted certificate authority
* RFC 1730 (IMAP4 as opposed to IMAP4rev1) support is turned off by default
in imapd