You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(4) |
Oct
(3) |
Nov
(4) |
Dec
(5) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(6) |
Feb
|
Mar
(4) |
Apr
(3) |
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(3) |
Dec
(1) |
2007 |
Jan
(4) |
Feb
(2) |
Mar
(4) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(3) |
Dec
|
2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
(1) |
Aug
(3) |
Sep
|
Oct
(3) |
Nov
|
Dec
|
2010 |
Jan
|
Feb
(4) |
Mar
(2) |
Apr
(2) |
May
(2) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
(2) |
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(2) |
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
2013 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
2014 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(3) |
Oct
(1) |
Nov
|
Dec
|
2020 |
Jan
(2) |
Feb
(3) |
Mar
(3) |
Apr
(2) |
May
(3) |
Jun
(2) |
Jul
(3) |
Aug
(2) |
Sep
(1) |
Oct
(4) |
Nov
(1) |
Dec
|
2021 |
Jan
(4) |
Feb
(2) |
Mar
(3) |
Apr
(3) |
May
|
Jun
|
Jul
(2) |
Aug
(11) |
Sep
(3) |
Oct
(3) |
Nov
(4) |
Dec
(3) |
2022 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
(3) |
Aug
(1) |
Sep
|
Oct
(2) |
Nov
|
Dec
|
2023 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2024 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
From: Matthias A. <mat...@gm...> - 2021-11-27 12:41:48
|
Greetings, The 6.4.25 release CANDIDATE #2 of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites. It contains support for wolfSSL 5.0, blocks out LibreSSL due to licensing issues, and overhauls the configure script for OpenSSL. release candidate #2 adds contrib/systemd (which see) and makes some fixes to configure.ac. See COPYING, INSTALL, README.SSL, README.packaging for more details on the news. Please test this thoroughly and report your findings so we can be sure that 6.4.25 will be a good release. It has been mailed out to the translation project to solicit translation updates. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc2.tar.xz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc2.tar.xz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.25.rc2.tar.xz)= dd5aae3ae1061640a273482ae44583be70052a4fb6be257b90803cefd849410f Thanks to Corey Halpin for the suggestion about license clarification with gnu.org links (submitted through FreeBSD's Bugzilla). Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.25.rc2 (release candidate 2021-11-27, 31633 LoC): # BREAKING CHANGES: * Since distributions continue patching for LibreSSL use, which cannot be linked legally, block out LibreSSL in configure.ac and socket.c, and refer to COPYING. OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updated, do re-read COPYING, INSTALL, README, README.packaging, README.SSL. * Bump OpenSSL version requirement to 1.0.2f in order to safely remove the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is publicly available from https://www.openssl.org/source/old/1.0.2/ # BUG FIXES: * 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag contained a typo and would not kick in properly. * Library and/or rpath setting from configure.ac was fixed. # ADDITIONS: * Added an example systemd unit file and instructions to contrib/systemd/ which runs fetchmail as a daemon with 5-minute poll intervals. Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464. # CHANGES: * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, see INSTALL and README.SSL. This is considered experimental. Feedback solicited. * The getstats.py dist-tool now counts lines of .ac and .am files. * ./configure --with-ssl now supports pkg-config module names, too. See INSTALL. # TRANSLATIONS: language translations were updated by these fine people: (in reverse alphabetical order of language codes so as not to prefer people): * sv: Göran Uddeborg [Swedish] * sq: Besnik Bleta [Albanian] * pl: Jakub Bogusz [Polish] * ja: Takeshi Hamasaki [Japanese] * fr: Frédéric Marchal [French] * eo: Keith Bowes [Esperanto] -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-11-20 23:54:25
|
Greetings, The 6.4.25 release CANDIDATE #1 of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites. It contains support for wolfSSL 5.0, blocks out LibreSSL due to licensing issues, and overhauls the configure script for OpenSSL. See COPYING, INSTALL, README.SSL for more details on the news. Please test this thoroughly and report your findings so we can be sure that 6.4.25 will be a good release. It has been mailed out to the translation project to solicit translation updates. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc1.tar.xz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc1.tar.xz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.25.rc1.tar.xz)= 300787d19c31490fba2e8842b5f9ac13750c4db30def3222eec88b530b305161 Thanks to Corey Halpin for the suggestion about license clarification with gnu.org links (submitted through FreeBSD's Bugzilla). Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.25.rc1 (released 2021-11-20, 31632 LoC): # BREAKING CHANGES * Since distributions continue patching for LibreSSL use, which cannot be linked legally, block out LibreSSL in configure.ac and socket.c, and refer to COPYING. OpenSSL and wolfSSL 5 can be used. * Bump OpenSSL version requirement to 1.0.2f in order to safely remove the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix release, and 1.0.2u is publicly available from https://www.openssl.org/source/old/1.0.2/ # BUG FIXES * 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag contained a typo and would not kick in properly. * Library and/or rpath setting from configure.ac was fixed. # CHANGES * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, see INSTALL and README.SSL. This is considered experimental. Feedback solicited. * The getstats.py dist-tool now counts lines of .ac and .am files. * ./configure --with-ssl now supports pkg-config module names, too. See INSTALL. -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-11-20 09:41:44
|
Greetings, The 6.4.24 release of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3, and you may want to review COPYING. NOTE that LibreSSL licensing is incompatible with fetchmail's, as there is no GPL clause 2(b) exception for LibreSSL. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.24.tar.lz)= 10018eaf3930cdc3162304f507bbd063233a0dde1febb82795c910c4c2f54b64 SHA256(fetchmail-6.4.24.tar.xz)= 9c961df25cd922f539218b0b56a77e7a47778e49ed907edaa5b4941ad3b253cf Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): # OPENSSL AND LICENSING NOTE: > see fetchmail-6.4.22, and the file COPYING. Note that distribution of packages linked with LibreSSL is not feasible due to a missing GPLv2 clause 2(b) exception. # COMPATIBILITY: * Bison 3.8 dropped yytoknum altogether, breaking compilation due to a warning workaround. Remove the cast of yytoknum to void. This may cause a compiler warning to reappear with older Bison versions. * OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3 certificate in its trust store because OpenSSL by default prefers the untrusted certificate and fails. Fetchmail now sets the X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only). This is workaround #2 from the OpenSSL Blog. For details, see both: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library is kept up to date by a distributor or via OpenSSL support contract. Where this is not the case, please upgrade to a supported OpenSSL version. # DOCUMENTATION: * The manual page was revised after re-checking with mandoc -Tlint, aspell, igor. Some more revisions were made for clarity. # TRANSLATIONS: language translations were updated by these fine people: * sv: Göran Uddeborg [Swedish] * pl: Jakub Bogusz [Polish] * fr: Frédéric Marchal [French] * cs: Petr Pisar [Czech] * eo: Keith Bowes [Esperanto] * ja: Takeshi Hamasaki [Japanese] -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-10-31 13:10:17
|
Greetings, The 6.5.0.beta5 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive has been uploaded and will shortly be available from: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz.asc/download> This brings the 6.5.0 beta in line with the recent 6.4 developments. This is the change history from Git: ================================================================================ * b26f8b3b 2021-10-31 | po/: record state (HEAD -> legacy_6x, tag: SNAPSHOT_6-5-0-beta6, tag: 6.5.0.beta6) * a3407a04 2021-10-31 | Merge branch 'legacy_64' into legacy_6x (sourceforge/legacy_6x, origin/legacy_6x) |\ | * 86533e67 2021-10-31 | website: announce 6.4.23 release. (sourceforge/legacy_64, origin/legacy_64, legacy_64) | * ce6c06dc 2021-10-31 | po/: Update German translation and record ja/sr updates. (tag: RELEASE_6-4-23) | * 7183296d 2021-10-31 | Get ready for 6.4.23. | * 56e8f9b6 2021-10-31 | IMAP: improve STARTTLS error message for ssh-plugin case | * b93af8e8 2021-10-31 | NEWS: mention Мирослав Николић/Miroslav Nikolić as translator. | * 0b90c974 2021-10-10 | Update <sr> Serbian translation to fetchmail-6.4.22.rc1 [Мирослав Николић] | * 06113cae 2021-09-20 | NEWS: Mention Takeshi Hamasaki as translator. * | fcb4ce6e 2021-09-20 | Merge branch 'legacy_64' into legacy_6x |\| | * 47a2e9a0 2021-09-18 | Update <ja> Japanese translation to fetchmail 6.4.22.rc1 [Takeshi Hamasaki] * | 298e7b79 2021-09-13 | Merge branch 'legacy_64' into legacy_6x |\| | * 84f2d310 2021-09-13 | Get ready for 6.4.22. (tag: RELEASE_6-4-22) | * 8eed56c2 2021-09-13 | Note OpenSSL 3.0.0 support and licensing change. | * fded2be1 2021-09-01 | de.po: Fix typo in German translation * | de625bd3 2021-09-13 | save * | 53976bfd 2021-09-01 | CMake: check for vsyslog sym -> define HAVE_VSYSLOG * | 647a75c5 2021-09-01 | Fix compilation in !HAVE_VSYSLOG path, * | e433536a 2021-09-01 | Merge branch 'legacy_64' into legacy_6x |\| | * 02693b4b 2021-09-01 | NEWS: fix spelink of Stefan Eßer's last name | * 28490560 2021-09-01 | NEWS: Credit Petr Pisar for Czech translation. | * 34656a01 2021-08-31 | IMAP: fix error code when LOGIN fails | * 431ccf32 2021-08-30 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg] | * 1a86e2c9 2021-08-29 | Update <cs> Czech translation to fetchmail 6.4.22.rc1 [Petr Pisar] * | 921ecd0c 2021-08-30 | Merge branch 'legacy_64' into legacy_6x |\| | * 4601caf3 2021-08-30 | website: announce 6.4.22.rc3 | * c863e9db 2021-08-29 | update SA-2021-02 | * 5b31e6e3 2021-08-29 | Get ready for 6.4.22.rc3. (tag: SNAPSHOT_6-4-22-rc3) | * 5606d737 2021-08-29 | NEWS: Credit RC testers. | * bdedbbd7 2021-08-29 | NEWS: credit translators. | * 87af2407 2021-08-28 | Update <sq> Albanian translation to fetchmail-6.4.22.rc1 [Besnik Bleta] | * 5d83eb47 2021-08-28 | Update <pl> Polish translation to fetchmail 6.4.22.rc1 [Jakub Bogusz] | * d33bc06d 2021-08-29 | Fix IMAP protocol confusion on 2nd and subsequent polls. | * a5a961e7 2021-08-28 | socket.c: invalid sslproto no longer abort()s | * 79956228 2021-08-28 | Convert to UTF-8. | * 8ca5b306 2021-08-28 | declare .txt to be UTF-8 | * 83341013 2021-08-28 | upload .htaccess | * 36b4c0bb 2021-08-27 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg] * | 358d2b0b 2021-08-28 | bump version to -beta6 * | 17853d32 2021-08-28 | Merge branch 'legacy_64' into legacy_6x |\| | * 5f976705 2021-08-27 | Get ready for 6.4.22.rc2. (tag: SNAPSHOT_6-4-22-rc2) | * c7c6055b 2021-08-27 | Credit fr/eo translators. | * 521bcb6b 2021-08-27 | Update <fr> French translation to fetchmail-6.4.22.rc1 [Frédéric Marchal] | * 1a293bb7 2021-08-27 | Update <eo> Esperanto translation to fetchmail 6.4.22.rc1 [Keith Bowes] | * 616e8c70 2021-08-27 | imap.c, pop3.c: fix protocol regression of 6.4.22.rc1 | * 2a2150f4 2021-08-27 | etrn.c, odmr.c, pop2.c: declare NULL con-/destructors | * 74771392 2021-08-27 | struct method: introduce con-/destructors | * ec8e9e35 2021-08-27 | NEWS: fix typo. | * 452d2c59 2021-08-27 | README.SSL-SERVER: require TLS 1.2/1.3 | * 44431fed 2021-08-27 | get ready for 6.4.22.rc1. (tag: SNAPSHOT_6-4-22-rc1) | * 4b736f0a 2021-08-26 | Doxyfile: updates | * 8363b7b7 2021-08-26 | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02 | * 5cca5d1e 2021-08-26 | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope" | * 27e6d102 2021-08-26 | po/de.po: Update German translation. | * e12677b1 2021-08-26 | Misc POP3 cleanups. | * 3837f0e2 2021-08-26 | SECURITY: imap.c, pop3.c: STARTTLS drops state | * bb220dc1 2021-08-26 | NEWS: reword 6.4.21 regression fix to include --syslog | * 4df94d59 2021-08-26 | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl | * 5b22b38d 2021-08-26 | sanity check well-known POP3/IMAP ports vs. SSL | * 9ef9cd28 2021-08-26 | lock.c: fix unused-value warning in unlockit(). | * f5644ba2 2021-08-26 | POP3: make CAPA parser caseblind. | * a0b9f2fb 2021-08-26 | xmalloc.h: Add GCC malloc attribute to xmalloc(). | * 46a82e13 2021-08-26 | imap.c, report.c: remove or comment dead stores. | * 8517491d 2021-08-26 | SECURITY: POP3: changes for --auth ssh and RPA | * b11d834a 2021-08-26 | NEWS: Deprecate RPA and other nonstandard auth' schemes. | * 77b3f56c 2021-08-26 | socket.c: plugin/plugout SIGSEGV and memleak fixes | * 8fae5227 2021-08-26 | IMAP: record server's CAPABILITY data in pre-auth state. | * 1b20ea02 2021-08-26 | IMAP: report 'upgrade to TLS succeeded' before CAPA probe | * c78cc2fc 2021-08-26 | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED. | * 39818023 2021-08-26 | fetchmail.c: fix typo in comment. | * 0bd7f01f 2021-08-26 | IMAP: log error if --auth external requested but server does not advertise it. | * 771a80b7 2021-08-26 | imap.c: one FIXME for command continuation requests | * a2fcf70b 2021-08-26 | IMAP: two more AUTHENTICATE EXTERNAL fixes | * 8001d09a 2021-08-26 | IMAP: fix base64 length calc. for AUTH=EXTERNAL | * 84580ab8 2021-08-26 | IMAP: don't send * after failed AUTHENTICATE EXTERNAL | * 7f0acc8f 2021-08-26 | IMAP: rename misnamed function and variable | * 5e9e3c86 2021-08-26 | Bump version to 6.4.22.rc1 | * 7ed2377c 2021-08-26 | manpage: Fix indentation under --sslproto | * e7199006 2021-08-26 | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS | * b82c3ccb 2021-08-26 | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed * | 9a617868 2021-08-09 | Merge branch 'legacy_64' into legacy_6x |\| | * 3aad706d 2021-08-09 | 6.5.0.beta5: mention regression fix and idle timeout. * | cf4bc0c5 2021-08-09 | Merge branch 'legacy_64' into legacy_6x |/ * f8377e3c 2021-08-09 | Announce 6.4.21 and 6.5.0.beta5. ================================================================================ |
From: Matthias A. <mat...@gm...> - 2021-10-31 12:41:10
|
Greetings, Sorry - first announcement slipped with the wrong version tag (beta5 instead of beta6). The 6.5.0.beta6 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive has been uploaded and will shortly be available from: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta6.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta6.tar.xz.asc/download> This brings the 6.5.0 beta in line with the recent 6.4 developments. This is the change history from Git: ================================================================================ * b26f8b3b 2021-10-31 | po/: record state (HEAD -> legacy_6x, tag: SNAPSHOT_6-5-0-beta6, tag: 6.5.0.beta6) * a3407a04 2021-10-31 | Merge branch 'legacy_64' into legacy_6x (sourceforge/legacy_6x, origin/legacy_6x) |\ | * 86533e67 2021-10-31 | website: announce 6.4.23 release. (sourceforge/legacy_64, origin/legacy_64, legacy_64) | * ce6c06dc 2021-10-31 | po/: Update German translation and record ja/sr updates. (tag: RELEASE_6-4-23) | * 7183296d 2021-10-31 | Get ready for 6.4.23. | * 56e8f9b6 2021-10-31 | IMAP: improve STARTTLS error message for ssh-plugin case | * b93af8e8 2021-10-31 | NEWS: mention Мирослав Николић/Miroslav Nikolić as translator. | * 0b90c974 2021-10-10 | Update <sr> Serbian translation to fetchmail-6.4.22.rc1 [Мирослав Николић] | * 06113cae 2021-09-20 | NEWS: Mention Takeshi Hamasaki as translator. * | fcb4ce6e 2021-09-20 | Merge branch 'legacy_64' into legacy_6x |\| | * 47a2e9a0 2021-09-18 | Update <ja> Japanese translation to fetchmail 6.4.22.rc1 [Takeshi Hamasaki] * | 298e7b79 2021-09-13 | Merge branch 'legacy_64' into legacy_6x |\| | * 84f2d310 2021-09-13 | Get ready for 6.4.22. (tag: RELEASE_6-4-22) | * 8eed56c2 2021-09-13 | Note OpenSSL 3.0.0 support and licensing change. | * fded2be1 2021-09-01 | de.po: Fix typo in German translation * | de625bd3 2021-09-13 | save * | 53976bfd 2021-09-01 | CMake: check for vsyslog sym -> define HAVE_VSYSLOG * | 647a75c5 2021-09-01 | Fix compilation in !HAVE_VSYSLOG path, * | e433536a 2021-09-01 | Merge branch 'legacy_64' into legacy_6x |\| | * 02693b4b 2021-09-01 | NEWS: fix spelink of Stefan Eßer's last name | * 28490560 2021-09-01 | NEWS: Credit Petr Pisar for Czech translation. | * 34656a01 2021-08-31 | IMAP: fix error code when LOGIN fails | * 431ccf32 2021-08-30 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg] | * 1a86e2c9 2021-08-29 | Update <cs> Czech translation to fetchmail 6.4.22.rc1 [Petr Pisar] * | 921ecd0c 2021-08-30 | Merge branch 'legacy_64' into legacy_6x |\| | * 4601caf3 2021-08-30 | website: announce 6.4.22.rc3 | * c863e9db 2021-08-29 | update SA-2021-02 | * 5b31e6e3 2021-08-29 | Get ready for 6.4.22.rc3. (tag: SNAPSHOT_6-4-22-rc3) | * 5606d737 2021-08-29 | NEWS: Credit RC testers. | * bdedbbd7 2021-08-29 | NEWS: credit translators. | * 87af2407 2021-08-28 | Update <sq> Albanian translation to fetchmail-6.4.22.rc1 [Besnik Bleta] | * 5d83eb47 2021-08-28 | Update <pl> Polish translation to fetchmail 6.4.22.rc1 [Jakub Bogusz] | * d33bc06d 2021-08-29 | Fix IMAP protocol confusion on 2nd and subsequent polls. | * a5a961e7 2021-08-28 | socket.c: invalid sslproto no longer abort()s | * 79956228 2021-08-28 | Convert to UTF-8. | * 8ca5b306 2021-08-28 | declare .txt to be UTF-8 | * 83341013 2021-08-28 | upload .htaccess | * 36b4c0bb 2021-08-27 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg] * | 358d2b0b 2021-08-28 | bump version to -beta6 * | 17853d32 2021-08-28 | Merge branch 'legacy_64' into legacy_6x |\| | * 5f976705 2021-08-27 | Get ready for 6.4.22.rc2. (tag: SNAPSHOT_6-4-22-rc2) | * c7c6055b 2021-08-27 | Credit fr/eo translators. | * 521bcb6b 2021-08-27 | Update <fr> French translation to fetchmail-6.4.22.rc1 [Frédéric Marchal] | * 1a293bb7 2021-08-27 | Update <eo> Esperanto translation to fetchmail 6.4.22.rc1 [Keith Bowes] | * 616e8c70 2021-08-27 | imap.c, pop3.c: fix protocol regression of 6.4.22.rc1 | * 2a2150f4 2021-08-27 | etrn.c, odmr.c, pop2.c: declare NULL con-/destructors | * 74771392 2021-08-27 | struct method: introduce con-/destructors | * ec8e9e35 2021-08-27 | NEWS: fix typo. | * 452d2c59 2021-08-27 | README.SSL-SERVER: require TLS 1.2/1.3 | * 44431fed 2021-08-27 | get ready for 6.4.22.rc1. (tag: SNAPSHOT_6-4-22-rc1) | * 4b736f0a 2021-08-26 | Doxyfile: updates | * 8363b7b7 2021-08-26 | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02 | * 5cca5d1e 2021-08-26 | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope" | * 27e6d102 2021-08-26 | po/de.po: Update German translation. | * e12677b1 2021-08-26 | Misc POP3 cleanups. | * 3837f0e2 2021-08-26 | SECURITY: imap.c, pop3.c: STARTTLS drops state | * bb220dc1 2021-08-26 | NEWS: reword 6.4.21 regression fix to include --syslog | * 4df94d59 2021-08-26 | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl | * 5b22b38d 2021-08-26 | sanity check well-known POP3/IMAP ports vs. SSL | * 9ef9cd28 2021-08-26 | lock.c: fix unused-value warning in unlockit(). | * f5644ba2 2021-08-26 | POP3: make CAPA parser caseblind. | * a0b9f2fb 2021-08-26 | xmalloc.h: Add GCC malloc attribute to xmalloc(). | * 46a82e13 2021-08-26 | imap.c, report.c: remove or comment dead stores. | * 8517491d 2021-08-26 | SECURITY: POP3: changes for --auth ssh and RPA | * b11d834a 2021-08-26 | NEWS: Deprecate RPA and other nonstandard auth' schemes. | * 77b3f56c 2021-08-26 | socket.c: plugin/plugout SIGSEGV and memleak fixes | * 8fae5227 2021-08-26 | IMAP: record server's CAPABILITY data in pre-auth state. | * 1b20ea02 2021-08-26 | IMAP: report 'upgrade to TLS succeeded' before CAPA probe | * c78cc2fc 2021-08-26 | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED. | * 39818023 2021-08-26 | fetchmail.c: fix typo in comment. | * 0bd7f01f 2021-08-26 | IMAP: log error if --auth external requested but server does not advertise it. | * 771a80b7 2021-08-26 | imap.c: one FIXME for command continuation requests | * a2fcf70b 2021-08-26 | IMAP: two more AUTHENTICATE EXTERNAL fixes | * 8001d09a 2021-08-26 | IMAP: fix base64 length calc. for AUTH=EXTERNAL | * 84580ab8 2021-08-26 | IMAP: don't send * after failed AUTHENTICATE EXTERNAL | * 7f0acc8f 2021-08-26 | IMAP: rename misnamed function and variable | * 5e9e3c86 2021-08-26 | Bump version to 6.4.22.rc1 | * 7ed2377c 2021-08-26 | manpage: Fix indentation under --sslproto | * e7199006 2021-08-26 | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS | * b82c3ccb 2021-08-26 | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed * | 9a617868 2021-08-09 | Merge branch 'legacy_64' into legacy_6x |\| | * 3aad706d 2021-08-09 | 6.5.0.beta5: mention regression fix and idle timeout. * | cf4bc0c5 2021-08-09 | Merge branch 'legacy_64' into legacy_6x |/ * f8377e3c 2021-08-09 | Announce 6.4.21 and 6.5.0.beta5. ================================================================================ |
From: Matthias A. <mat...@gm...> - 2021-10-31 12:21:00
|
Greetings, The 6.4.23 release of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It updates the Japanese and Serbian translations and improves an error message around STARTTLS with IMAP --auth ssh and --plugin. Note the tarball was re-rolled to include the German translation update, missed in the first upload. DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3, and you may want to review COPYING. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.23.tar.lz)= 0fa3b57f05ec38b3ecb58d2221223b6a4da6e30dd857af37b49798c3e84a71e5 SHA256(fetchmail-6.4.23.tar.xz)= 5f7a5e13731431134a2ca535bbced7adc666d3aeb93169a0830945d91f492300 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.23 (released 2021-10-31, 30206 LoC): # USABILITY: * For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin - no matter its contents - and that set auth ssh), change the STARTTLS error message to suggest sslproto '' instead. This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22. Fixes Redhat Bugzilla 2008160. Fixes GitLab #39. # TRANSLATIONS: language translations were updated by these fine people: * ja: Takeshi Hamasaki [Japanese] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-09-13 21:18:24
|
Note that I had to re-roll the tarballs after missing a few documentation updates. The original tarballs were only available for a few minutes. The updated checksums are these: SHA256(fetchmail-6.4.22.tar.lz)= c704b2af5d083550a0b0f1d9af7284afe85247cba08f4e268f429db4b3d0c42a SHA256(fetchmail-6.4.22.tar.xz)= cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84 |
From: Matthias A. <mat...@gm...> - 2021-09-13 21:17:53
|
Note that I had to re-roll the tarballs after missing a few documentation updates. The original tarballs were only available for a few minutes. The updated checksums are these: SHA256(fetchmail-6.4.22.tar.lz)= c704b2af5d083550a0b0f1d9af7284afe85247cba08f4e268f429db4b3d0c42a SHA256(fetchmail-6.4.22.tar.xz)= cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84 |
From: Matthias A. <mat...@gm...> - 2021-09-13 21:06:19
|
Greetings, The 6.4.22 release of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains the security fix for CVE-2021-39272 of 6.4.21 and earlier, fixes some crashes that can be triggered by local configurations, and makes some fixes to authentication and other changes, details below. DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3, and you may want to review COPYING. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.22.tar.lz)= 5e596136660cca9b71f73c0f6fe79cc76db7db2b2dc33c08ad25241ed0cba368 SHA256(fetchmail-6.4.22.tar.xz)= 104379499a1346330a6799f1e20c790211dd07835cb1af5668dfd25de71357f4 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): # OPENSSL AND LICENSING NOTE: * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay license to Apache License v2.0, which is considered incompatible with GPL v2 by the FSF. For implications and details, see the file COPYING. # SECURITY FIXES: * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. * For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) * On IMAP connections, when --auth external is requested but not advertised by the server, log a proper error message. * Fetchmail no longer crashes when attempting a connection with --plugin "" or --plugout "". * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. * Fix segfault on configurations with "defaults ... no envelope". Reported by Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. * Fix program abort (SIGABRT) with "internal error" when invalid sslproto is given with OpenSSL 1.1.0 API compatible SSL implementations. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. # TRANSLATIONS: language translations were updated by these fine people: * sq: Besnik Bleta [Albanian] * cs: Petr Pisar [Czech] * eo: Keith Bowes [Esperanto] * fr: Frédéric Marchal [French] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] # CREDITS: * Thanks for testing the release candidates and bug reports to: Corey Halpin, Stefan Eßer. -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-08-29 15:37:42
|
Greetings, The 6.4.22 release CANDIDATE #3 of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains security fixes for CVE-2021-39272 and fixes up several protocol violations along the way, fixes some configuration-based crashes (SIGSEGV) and updates the documentation. This version has quite extensive changes for a patchlevel release. rc2 fixes an IMAP protocol regression of rc1 that made it unable to download e-mail via IMAP in many circumstances. Reported by Corey Halpin. rc3 fixes an IMAP protocol regression that struck when a server was not the very first server in a run. Reported by Stefan Esser. Note that security recommendations in README.SSL were changed to achieve higher security from the configuration. Built-in defaults do not change. Please test this thoroughly and report your findings so we can be sure that 6.4.22 will be a good release. It has been mailed out to the translation project to solicit translation updates. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc3.tar.xz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc3.tar.xz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.22.rc3.tar.xz)= 1087a1c8ef8053f2deb97c17e2ab1a91fd3dd40fe275c7d6da0693bb1218fe13 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.22 (not yet released): # SECURITY FIXES: * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. * For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) * On IMAP connections, when --auth external is requested but not advertised by the server, log a proper error message. * Fetchmail no longer crashes when attempting a connection with --plugin "" or --plugout "". * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. * Fix segfault on configurations with "defaults ... no envelope". Reported by Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. * Fix program abort (SIGABRT) with "internal error" when invalid sslproto is given with OpenSSL 1.1.0 API compatible SSL implementations. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. # TRANSLATIONS: language translations were updated by these fine people: * sq: Besnik Bleta [Albanian] * eo: Keith Bowes [Esperanto] * fr: Frédéric Marchal [French] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] # CREDITS: * Thanks for testing the release candidates and bug reports to: Corey Halpin, Stefan Esser. -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-08-27 18:02:36
|
Greetings, The 6.4.22 release CANDIDATE #2 of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains security fixes for CVE-2021-39272 and fixes up several protocol violations along the way, fixes some configuration-based crashes (SIGSEGV) and updates the documentation. This version has quite extensive changes for a patchlevel release. rc2 fixes an IMAP protocol regression of rc1 that made it unable to download e-mail via IMAP in many circumstances. Note that security recommendations in README.SSL were changed to achieve higher security from the configuration. Built-in defaults do not change. Please test this thoroughly and report your findings so we can be sure that 6.4.22 will be a good release. It has been mailed out to the translation project to solicit translation updates. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc2.tar.xz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc2.tar.xz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.22.rc2.tar.xz)= 1bd3f25e221ea01de4ba57447b7464f8c5f07f0f107701583b9cdd85740da276 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.22 (not yet released): # SECURITY FIXES: * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. * For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) * On IMAP connections, when --auth external is requested but not advertised by the server, log a proper error message. * Fetchmail no longer crashes when attempting a connection with --plugin "" or --plugout "". * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. * Fix segfault on configurations with "defaults ... no envelope". Reported by Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. # TRANSLATIONS: These language translations were updated by these fine people: * fr: Frédéric Marchal [French] * eo: Keith Bowes [Esperanto] -------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-08-27 16:33:42
|
Greetings, I am withdrawing 6.4.22.rc1 and ask that nobody installs it anew if IMAP fetches are desired. Setups that purely use POP3 seem fine for now, and if your setup can fetch mail from all your configurations, you need not downgrade. Sorry about this, but that is why there are release candidates, some turn out to be unworthy of promotion to a release. I am moving 6.4.22.rc1 around on sourceforge from branch_6.4/ to OldFiles/ so that people missing this announcement don't find it at the place announced earlier. Withdrawal reason: I received and confirmed a regression report against fetchmail's IMAP client, and 6.4.22.rc1 misidentifies IMAP protocol versions and in many situations tries IMAP4 commands on IMAP2 and IMAP4rev1 servers, which leads to poll errors without any mail downloaded. This is a side effect from the "reset session data", not covered in my testing scenarios. -ma |
From: Matthias A. <mat...@gm...> - 2021-08-26 22:32:00
|
fetchmail-SA-2021-02: STARTTLS session encryption bypassing Topics: fetchmail fails to enforce an encrypted connection Author: Matthias Andree Version: 0.9 Announced: 2021-08-26 Type: failure to enforce configured security policy Impact: fetchmail continues an unencrypted connection, thus reading unauthenticated input and sending information unencrypted over its transport Danger: medium Acknowledgment: Andrew C. Aitchison for reporting this against fetchmail Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel for their Usenix Security 21 paper NO STARTTLS CVE Name: CVE-2021-39272 URL: https://www.fetchmail.info/fetchmail-SA-2021-02.txt Project URL: https://www.fetchmail.info/ Affects: - fetchmail releases up to and including 6.4.21 Not affected: - fetchmail releases 6.4.22 and newer Corrected in: 2021-08-26 fetchmail 6.4.22.rc1 release candidate TBD fetchmail 6.4.22 release tarball 0. History of this announcement =============================== 2021-08-10 Andrew C. Aitchison contacts fetchmail maintainer with pointer to Usenix Security 21 paper by Damian Poddebniak et al. 2021-08-16 a simplified recommendation to configure --ssl where possible (see section 3b. below) to mitigate impact was sent to the fetchmail mailing lists 2021-08-26 0.9 initial release along with fetchmail 6.4.22.rc1 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= fetchmail permits requiring that an IMAP or POP3 protocol exchange uses a TLS-encrypted transport, in 6.4 by way of an --sslproto auto or similar configuration. This TLS encryption can be established either as Implicit TLS connection, which negotiates TLS first, or as a STARTTLS which starts as cleartext protocol exchange that gets upgraded in the same TCP stream to TLS. Without special configuration, fetchmail would opportunistically try to upgrade cleartext connections to TLS by STARTTLS, but allow cleartext protocol exchange, which is documented. IMAP also supports sessions that start in "authenticated state" (PREAUTH). In this latter case, IMAP (RFC-3501) does not permit sending STARTTLS negotiations, which are only permissible in not-authenticated state. In such a combination of circumstances (1. IMAP protocol in use, 2. the server greets with PREAUTH, announcing authenticated state, 3. the user configured TLS mandatory, 4. the user did not configure "ssl" mode that uses separate ports for Implicit SSL/TLS), fetchmail 6.4.21 and older would not encrypt the session. There was a similar situation for POP3: if the remote name contained @compuserve.com, and if the server supported a non-standard "AUTH" command without mechanism argument and if it responded with a list that contained "RPA" (also in mixed or lower case), then fetchmail would not attempt STARTTLS. While the password itself is then protected by the RPA scheme (which employs MD5 however), fetchmail 6.4.21 and older would not encrypt the session. Also, a configuration containing --auth ssh (meaning that fetchmail should not authenticate, on the assumption that the session will be pre-authenticated for instance through SSH running a mail server with --plugin, or TLS client certificates), would also defeat STARTTLS as result of an implementation defect. This affected both POP3 and IMAP. 3. Solutions ============ PREFACE: distributors backporting fixes to old versions are asked to diff the manual page and review the changes, and the NEWS file, because the manual page has been updated with newer recommendations. The same backport recommendations hold for the README.SSL file. 3a. Install fetchmail 6.4.22 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. The Git-based source code repository is currently published via https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_64 (primary) https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/ (copy) 3b. Where the IMAP or POP3 server supports this form of access, fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and negotiate TLS without prior clear-text protocol exchange. Also, --ssl can be given on the command line, which switches all configured server statements to this Implicit TLS mode. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2021 by Matthias Andree, <mat...@gm...>. Some rights reserved. © Copyright 2021 by Matthias Andree. This file is licensed under CC BY-ND 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2021-02 |
From: Matthias A. <mat...@gm...> - 2021-08-26 22:29:55
|
Greetings, The 6.4.22 release CANDIDATE of fetchmail is now available at <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains security fixes for CVE-2021-39272 and fixes up several protocol violations along the way, fixes some configuration-based crashes (SIGSEGV) and updates the documentation. This version has quite extensive changes for a patchlevel release. Note that security recommendations in README.SSL were changed to achieve higher security from the configuration. Built-in defaults do not change. Please test this thoroughly and report your findings so we can be sure that 6.4.22 will be a good release. It has been mailed out to the translation project to solicit translation updates. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc1.tar.xz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc1.tar.xz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.22.rc1.tar.xz)= 96634167a0c21673abaa8c76e669fb5799266c19f784c03a760c2048681cd3b3 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.22 (not yet released): # SECURITY FIXES: * On IMAP connections, without --ssl and with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when the server or an attacker sends a PREAUTH greeting, fetchmail used to continue an unencrypted connection. Now, log the error and abort the connection. Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel. The paper did not mention fetchmail. * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS negotiation. * On IMAP connections, fetchmail does not permit overriding a server-side LOGINDISABLED with --auth password any more. * On POP3 connections, the possibility for RPA authentication (by probing with an AUTH command without arguments) no longer prevents STARTTLS negotiation. * For POP3 connections, only attempt RPA if the authentication type is "any". # BUG FIXES: * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the tagged (= final) response, do not send "*". * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send a "=" for protocol compliance. * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 has not supported and does not support the separate challenge/response with command continuation) * On IMAP connections, When --auth external is requested but not advertised by the server, log a proper error message. * Fetchmail no longer crashes when attempting a connection with --plugin "" or --plugout "". * Fetchmail no longer leaks memory when processing the arguments of --plugin or --plugout on connections. * On POP3 connections, the CAPAbilities parser is now caseblind. * Fix segfault on configurations with "defaults ... no envelope". Reported by Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 and happened when plugging memory leaks, which did not account for that the envelope parameter is special when set as "no envelope". The segfault happens in a constant strlen(-1), triggered by trusted local input => no vulnerability. # CHANGES: * IMAP: When fetchmail is in not-authenticated state and the server volunteers CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail must and will re-probe explicitly.) * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. (cherry-picked from 6.5 beta branch "legacy_6x") * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, placing --sslproto tls1.2+ more prominently. The defaults shall not change between 6.4.X releases for compatibility. --------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-08-15 14:41:01
|
Greetings, all released fetchmail versions to date (up to and including 6.4.21) were found susceptible to some sorts of attacks against STARTTLS (IMAP) or STLS (POP3), which can lead to a session that remains unencrypted even though --sslproto tls1.2+ or similar configurations require encryption, and worst case exposing the user's login credentials and also e-mail when the configuration tells otherwise. The solution in fetchmail code requires thorough reviews and changes that will take more time. Remember that fetchmail is a volunteer spare-time project. The details of the implementation and concept flaws shall be disclosed later in the formal fetchmail security announcement 2021-02 (not yet published). MITIGATING THE IMPACT: Proper configuration for Implicit TLS can mitigate the impact for many users. I am already announcing such configuration changes below: ------------------------------------------------------------------------ Everyone whose server supports "Implicit TLS", meaning TLS on a dedicated imaps port (TCP port 993) or pop3s port (TCP port 995), should reconfigure fetchmail to enable this option (ssl or --ssl) permanently. This can be achieved in two ways, either of which alone is sufficient: - on the command line, add --ssl), which will affect all servers included in the poll (= all poll statements from the rcfile, or all servers mentioned on the same command line). - in the rcfile, by adding the word "ssl" without quotes after each configuration stanza for a user description. After making the change, test your new configuration before enabling unattended operation. Future directions: 1. The Internet Engineering Task Force (IETF) has proposed standards that consider both STARTTLS obsolete (RFC-8314) and deprecate TLS 1.1 and earlier (including all SSL versions) (RFC-8997). 2. I may make Implicit TLS the default in future fetchmail releases, and promise to at least bump the minor version to >= 6.5.0 in that case. ------------------------------------------------------------------------ I will also add an *unrelated* recommendation while we are at it and users are suggested to edit their configurations anyways: I suggest that everyone configures fetchmail to negotiate at least TLS v1.2 if supported by the server, or at least TLS v1.2, which can happen on the command line through --sslproto TLS1.2+ or in the rcfile by adding sslproto TLS1.2+ in each stanza after each user statement. Where possible, meaning server-side support and support by the local OpenSSL library version (for instance, 1.1.1 is good enough), fetchmail can also be configured to require TLS v1.3 or newer instead, in that case, use --sslproto TLS1.3+ on the command line or sslproto TLS1.3+ in the rcfile. future direction: fetchmail 6.5 and newer (not yet released and several weeks to months out) will make TLS 1.2 the minimum required version, and will also require an OpenSSL library that supports TLS 1.3. ------------------------------------------------------------------------ Note that the changes proposed above, when successfully deployed, can remain in place when fetchmail 6.4.22 will be released, so there is no need to wait. |
From: Matthias A. <mat...@gm...> - 2021-08-09 17:04:11
|
Greetings, The 6.5.0.beta5 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive has been uploaded and will shortly be available from: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz.asc/download> This fixes a regression introduced with the security fix for CVE-2021-36386 that broke --logfile and generally could cause log message truncation, and merges Eric Durand's --idletimeout configuration feature. This is the change history from Git: ================================================================================ * 0664b370 2021-08-09 | Merge branch 'legacy_64' into legacy_6x, bumping... |\ | * 06aee72e 2021-08-09 | Bump version to 6.4.21. (tag: RELEASE_6-4-21) | * 65d9dde0 2021-08-09 | Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3. | * 54c3e4a1 2021-08-09 | NEWS/6.4.20: Fix typo in CVE number. | * d3db2da1 2021-08-09 | Fix --logfile and message truncation issue. | * f6ebe48b 2021-08-03 | fetchmail-SA-2021-01.txt: Replace copy by symlink | * a8f8447d 2021-08-03 | update fetchmail-SA-2021-01 | * fa027fe6 2021-08-03 | website: ext. link updates for openssh, getmail6 | * 13d816ba 2021-08-03 | Update website for 6.5.0.beta4 release. * db1cff0d 2021-08-05 | Merge branch 'rand0mdud3/fetchmail-legacy_6x_idle_timeout' into legacy_6x |\ | * 3d71de2f 2021-08-05 | Complete integration of --idletimeout feature. | * 0dc17130 2021-07-22 | Make the idle timeout configurable [Eric Durand] |/ * adcd49a1 2021-08-05 | fetchmailconf: fixup merge indentation error from ed4903efad * 77a1e3fc 2021-08-04 | fetchmail.man: Minor tweaks to sslproto doc. * 38f73ff5 2021-08-04 | fetchmail.man: update sslproto to reflect defaults * b3dd1527 2021-08-04 | socket.c: try harder not to redefine TLS_MAX_VERSION * b3eb6a48 2021-08-04 | driver.c: Fix misreporting SMTP errors as MDA. * 8e435aff 2021-08-04 | get_sink_type: return gettextized string of sink type. * 6124abb3 2021-08-04 | socket.c: refactor SSL shutdown/context getter code ================================================================================ |
From: Matthias A. <mat...@gm...> - 2021-08-09 16:51:07
|
TL;DR Summary: While fetchmail 6.4.20 fixed CVE-2021-36386, it introduced a bug WRT buffered logging that got fixed in 6.4.21. Packagers should either upgrade all the way to 6.4.21, or pick the near-trivial regression fix from section #3 below or Git commit d3db2da1 can be cherry-picked from the GitLab or SourceForge repos. Updated security announcement follows: -------------------------------------------------------------------- fetchmail-SA-2021-01: DoS or information disclosure logging long messages Topics: fetchmail denial of service or information disclosure when logging long messages Author: Matthias Andree Version: 1.3 Announced: 2021-07-28 (original), 2021-08-09 (last update) Type: missing variable initialization can cause read from bad memory locations Impact: fetchmail logs random information, or segfaults and aborts, stalling inbound mail Danger: low Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany for analysis and report and a patch suggestion CVE Name: CVE-2021-36386 and CVE-2008-2711 URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt URL: https://www.fetchmail.info/fetchmail-SA-2008-01.txt Project URL: https://www.fetchmail.info/ Affects: - fetchmail releases up to and including 6.3.8 - fetchmail releases 6.3.17 up to incl. 6.4.19 (but note 6.4.20 regresses for buffered output, f.i. with --logfile) Not affected: - fetchmail releases 6.4.21 and newer (fetchmail 6.4.20 fixes the immediate bug but regresses and causes message truncation on buffered output) - fetchmail releases 6.3.9 to 6.3.16 Corrected in: c546c829 + d3db2da1 Git commit hash (both needed) 2021-08-09 fetchmail 6.4.21 release tarball 0. Release history ================== 2021-07-07 initial report to maintainer 2021-07-28 1.0 release 2021-07-28 1.1 update Git commit hash with correction 2021-08-03 1.2 add references to CVE-2008-2711/fetchmail-SA-2008-01 2021-08-09 1.3 mention buffered logging regression (--logfile) 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration. On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end. The same bug then named CVE-2008-2711 had already been fixed in fetchmail 6.3.9, but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010) reintroduced the bug. Fetchmail versions 6.4.19 and older are no longer supported, however. The bugfix used in 6.4.20 uses a different, more thorough, approach. 3. Solution =========== Install fetchmail 6.4.21 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. Distributors are encouraged to review the NEWS file and move forward to 6.4.21, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation, or translation updates. The regression fix for the new non-security bug in 6.4.20 that causes log message truncation simply consists of editing report.c to rotate lines 289 through 291, such that the /corrected/ report.c then looks like this: 286 n = snprintf (partial_message + partial_message_size_used, 287 partial_message_size - partial_message_size_used, 288 message, a1, a2, a3, a4, a5, a6, a7, a8); 289 290 if (n > 0) partial_message_size_used += n; 291 #endif 292 293 if (unbuffered && partial_message_size_used != 0) Fetchmail 6.4.X releases have been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface incompatibly. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2021 by Matthias Andree, <mat...@gm...>. Some rights reserved. fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC BY-ND 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2021-01 |
From: Matthias A. <mat...@gm...> - 2021-08-09 16:47:21
|
Greetings, The 6.4.21 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains the security fix for CVE-2021-36386 of 6.4.20, and fixes a regression/a bug that causes log message truncation/run-together prominently visible with --logfile that was introduced into 6.4.20. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.21.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.21.tar.lz)= 3abbe5f7bb003bdf3b8b71a2edd896fba55cbd3d19d59fe2ff8925fca4983af7 SHA256(fetchmail-6.4.21.tar.xz)= 6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): # REGRESSION FIX: * The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of messages logged to buffered outputs, predominantly --logfile. This also caused lines in the logfile to run into one another because the fragment containing the '\n' line-end character was usually lost. Reason is that on all modern systems (with <stdarg.h> header and vsnprintf() interface), the length of log message fragments was added up twice, so that these ended too deep into a freshly allocated buffer, after the '\0' byte. Unbuffered outputs flushed the fragments right away, which masked the bug. Reported by: Jürgen Edner, Erik Christiansen. -------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-08-03 14:31:58
|
Greetings, The 7.0.0-alpha9 snapshot of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/> The source archive and a detached GnuPG signature are available at: <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha9.tar.xz/download> <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha9.tar.xz.asc/download> It mostly merges up the recent 6.4 and 6.5 branch changes including the CVE-2021-36386 security fix, but has a few changes of its own: * 8a485deb 2021-08-03 | Bump version to alpha9. (tag: 7.0.0-alpha9) * f63c20f0 2021-06-27 | Add support for Microsoft Office 365 OAuth2 login [Marijn van Vliet] * 71edd0ce 2021-04-29 | PWMD: rename ./configure option to --enable-libpwmd * ede874be 2021-04-29 | build-pwmd.sh: developer test script to build PWMD-enabled fetchmail for make check * 09efedd3 2021-04-29 | .gitignore: no longer ignore build* non-directories * 3898bb03 2021-04-27 | pwmd: Fix building with recent GCC. [Ben Kibbey] Here are the release notes: -------------------------------------------------------------------------------- fetchmail-7.0.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! XXX and FIXME - see the big merge of 2019-08-25, and 2021-01-03 # INCOMPATIBLE CHANGES * The SSL/TLS options were massively changed and disentangled, to be clearer. * --sslmode starttls=must is now the default as a consequence of the previous sslcertck default. If you need an unencrypted connection, use --sslmode none. If you need an SSL-wrapped connection that starts immediately on a separate port, use --sslmode wrapped. * See the REMOVED FEATURES section below for further incompatibilities. # MAJOR CHANGES * The POP3 code now always uses UIDL, except if "fetchall" is in effect. Fixes BerliOS Bug #16172. Fixes Debian Bug#345788. The --uidl option is now gone. # FEATURES ADDED * fetchmail has initial support for OAUTH2, courtesy of Matthew M. Ogilvie. This requires a helper script (in Python) that ships in the contrib/ section. * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at compile-time and requires run-time configuration. See README.PWMD for details. Contributed by Ben Kibbey, author of libpwmd and pwmd. * Fetchmail can now run an external command to retrieve credentials (passwords), see the fetchmail man page for passwordeval. * Fetchmail now supports a retrieve-error command line or rcfile option that takes exactly one argument, abort (default), continue or markseen. This specifies the policy used by fetchmail to handle messages whose bodies fail to be retrieved due to server errors. Both the continue and markseen options will skip the message with errors and allow the session to continue so that subsequent messages can be retrieved. The markseen option will also mark the message with errors as seen. The default policy is to abort the session whenever a server error occurs. Contributed by Craig Brown. * Fetchmailconf offers CRAM-MD5 and APOP authentication. XXX FIXME: check * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode option, which cleans up the incomprehensible --ssl and --sslproto mess of fetchmail versions before v7.0.0. * The SSL/TLS/STARTTLS protocol version can now be selected through a new --sslprotocolversion switch. * The SSL/TLS cipher in used is now reported in verbose mode. * FIXME: The SHA1 fingerprint is now printed along with the MD5 digest of the server's certificate; however, this can not yet be matched - matches are still against MD5 only. # REMOVED FEATURES * IMAP2 and POP2 protocol support were removed. * RPOP support (not actually a protocol, but a variant of POP3) was removed. * POP3: the (--)uidl option has been removed. It is always on. * POP3: LAST is no longer used. It was removed from POP3 in the year 1994, and it could cause mail loss when the connection was interrupted or if clients besides fetchmail polled the mailbox. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. * Kerberos IV support was removed. * The --ssl option is obsolescent and triggers a warning that users should use --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped. * The --sslproto option was removed. Two new options were added in its place, --sslmode and --sslprotocolversion. * A lot of outdated and/or unsafe-to-use material got dropped from contrib/. # CHANGES * APOP is no longer a protocol, but an authentication method. In order to use it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop. If no authentication method is specified, APOP is automatically tried if offered by the server before we resort to sending the password as clear text. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, so compiling 32-bit SPARC code should not cause any difficulties. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. -------------------------------------------------------------------------------- |
From: Matthias A. <mat...@gm...> - 2021-08-03 14:13:40
|
Greetings, The 6.5.0.beta4 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta4.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta4.tar.xz.asc/download> This merges the recent 6.4.20 security fix for CVE-2021-36386, with these additional changes: * 1c214c45 2021-07-07 | mock POP3 test server updates * 2cc88ec4 2021-06-26 | GitLab CI * 462b5c38 2021-05-15 | CMakeLists.txt: only compile getopt* if getopt_long() missing. * a6f29dc5 2021-05-13 | Rudimentary unusable attempt at a CMakeLists file. * c7b820b1 2021-04-26 | fetchmail.man: really bump version to beta3 to match release. * 57bd6a92 2021-04-26 | imap.c: correct EXPUNGE count -> EXPUNGE message no. Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.5.0 (not yet released): ## REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. ## INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. ## CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL, at a minimum OpenSSL v1.1.1. ## BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond. This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level (1.1.1, or 10101) so as to compile with OpenSSL 3.0.0. (fetchmail was requesting to hide deprecated APIs.) ## CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. ## EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.0-alpha4. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. ================================================================================ |
From: Matthias A. <mat...@gm...> - 2021-07-28 21:04:25
|
fetchmail-SA-2021-01: DoS or information disclosure logging long messages Topics: fetchmail denial of service or information disclosure when logging long messages Author: Matthias Andree Version: 1.1 Announced: 2021-07-28 Type: missing variable initialization can cause read from bad memory locations Impact: fetchmail logs random information, or segfaults and aborts, stalling inbound mail Danger: low Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany for analysis and report and a patch suggestion CVE Name: CVE-2021-36386 URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt Project URL: https://www.fetchmail.info/ Affects: - fetchmail releases up to and including 6.4.19 Not affected: - fetchmail releases 6.4.20 and newer Corrected in: c546c829 Git commit hash 2021-07-28 fetchmail 6.4.20 release tarball 0. Release history ================== 2021-07-07 initial report to maintainer 2021-07-28 1.0 release 2021-07-28 1.1 update Git commit hash with correction 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration. On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end. 3. Solution =========== Install fetchmail 6.4.20 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. Distributors are encouraged to review the NEWS file and move forward to 6.4.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation, or translation updates. Fetchmail 6.4.X releases have been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface incompatibly. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2021 by Matthias Andree, <mat...@gm...>. Some rights reserved. fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC BY-ND 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2021-01 |
From: Matthias A. <mat...@gm...> - 2021-07-28 21:04:20
|
Greetings, The 6.4.20 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains an LMTP bug fix, updates fetchmailconf and the Serbian translation. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.20.tar.lz)= 497973353c0538216e7d7f2289a21d9acc5edd78f06d7ec008001f4f19e91b11 SHA256(fetchmail-6.4.20.tar.xz)= c82141ae2e8f0039ceb0c5c2eda43c5e93ad0bf7f9c6bb628092b3be74386176 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- Happy fetches, Matthias |
From: Matthias A. <mat...@gm...> - 2021-04-25 11:22:29
|
Greetings, The 6.5.0.beta3 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta3.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta3.tar.xz.asc/download> This is mostly merging of the recent 6.4 releases, with these additional changes: * 13d7eab8 2021-04-24 | INSTALL: Spell-check [Matthias Andree] * deb5e66f 2021-03-29 | Add basic test framework to source from other tests. [Matthias Andree] * 9c9d47c9 2021-03-29 | fetchmail.man: Add QUICKSTART section. [Matthias Andree] * 3aafc8bd 2021-03-23 | Reduce 15 different translatable "Query status" messages into 2. [Lauri Nurmi] * c4ba1d68 2021-03-13 | po/de.po: Update. [Matthias Andree] * 13c9a52c 2021-03-13 | INSTALL: mention Python 3 optional, and suggest make check [Matthias Andree] * 6161c8c2 2021-03-13 | OpenSSL: Prepare for removal of TLS_MAX_VERSION declaration. [Matthias Andree] * 1b374b5f 2021-03-13 | tests: import Ubuntu's POP3 mock server operation test [Bryce Harrington] * da6eb347 2021-03-13 | sanity check well-known POP3/IMAP ports vs. SSL [Matthias Andree] * 58cd8002 2021-01-30 | tls-aux.h: Remove unneeded 1.0.2 compatibility code. [Matthias Andree] Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.5.0 (not yet released): ## REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. ## INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. ## CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL, at a minimum OpenSSL v1.1.1. ## BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond. This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level (1.1.1, or 10101) so as to compile with OpenSSL 3.0.0. (fetchmail was requesting to hide deprecated APIs.) ## CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. ## EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.0-alpha4. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. # KNOWN BUGS AND WORKAROUNDS (This section usually floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. -------------------------------------------------------------------------------- |
From: Matthias A. <mat...@gm...> - 2021-04-25 10:40:12
|
Greetings, The 7.0.0-alpha8 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/> The source archive is available at: <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha8.tar.xz/download> It mostly merges up the recent 6.4 and 6.5 branch changes but has a few changes of its own: 919fd787 2021-04-24 | Bump max. passwordlen to 10000 bytes. [Matthias Andree] 6357924a 2021-04-24 | po/de.po: update [Matthias Andree] 53af1ae1 2021-04-24 | Bump version to -alpha8 [Matthias Andree] 05f66769 2021-04-24 | Fix up merge error. [Matthias Andree] d52ba965 2021-01-31 | Add README.OAUTH2 issue #27 (sourceforge/next, origin/next) [William Bader] 2a0c7680 2021-01-09 | fetchmailconf: better place for PIDfile. [Matthias Andree] 2950d204 2021-01-09 | fetchmailconf: Expose PIDfile (lockfile). [Matthias Andree] 7514a696 2021-01-05 | [conf] Print pidfile in configuration [Earl Chew] 204541b6 2021-01-03 | Add support for sslcertfile. [Matthias Andree] 81bcb126 2021-01-03 | [conf] Print sslcertfile in configuration (earlchew/fetchmail-issue/25) [Earl] Here are the release notes: fetchmail-7.0.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! XXX and FIXME - see the big merge of 2019-08-25, and 2021-01-03 # INCOMPATIBLE CHANGES * The SSL/TLS options were massively changed and disentangled, to be clearer. * --sslmode starttls=must is now the default as a consequence of the previous sslcertck default. If you need an unencrypted connection, use --sslmode none. If you need an SSL-wrapped connection that starts immediately on a separate port, use --sslmode wrapped. * See the REMOVED FEATURES section below for further incompatibilities. # MAJOR CHANGES * The POP3 code now always uses UIDL, except if "fetchall" is in effect. Fixes BerliOS Bug #16172. Fixes Debian Bug#345788. The --uidl option is now gone. # FEATURES ADDED * fetchmail has initial support for OAUTH2, courtesy of Matthew M. Ogilvie. This requires a helper script (in Python) that ships in the contrib/ section. * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at compile-time and requires run-time configuration. See README.PWMD for details. Contributed by Ben Kibbey, author of libpwmd and pwmd. * Fetchmail can now run an external command to retrieve credentials (passwords), see the fetchmail man page for passwordeval. * Fetchmail now supports a retrieve-error command line or rcfile option that takes exactly one argument, abort (default), continue or markseen. This specifies the policy used by fetchmail to handle messages whose bodies fail to be retrieved due to server errors. Both the continue and markseen options will skip the message with errors and allow the session to continue so that subsequent messages can be retrieved. The markseen option will also mark the message with errors as seen. The default policy is to abort the session whenever a server error occurs. Contributed by Craig Brown. * Fetchmailconf offers CRAM-MD5 and APOP authentication. XXX FIXME: check * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode option, which cleans up the incomprehensible --ssl and --sslproto mess of fetchmail versions before v7.0.0. * The SSL/TLS/STARTTLS protocol version can now be selected through a new --sslprotocolversion switch. * The SSL/TLS cipher in used is now reported in verbose mode. * FIXME: The SHA1 fingerprint is now printed along with the MD5 digest of the server's certificate; however, this can not yet be matched - matches are still against MD5 only. # REMOVED FEATURES * IMAP2 and POP2 protocol support were removed. * RPOP support (not actually a protocol, but a variant of POP3) was removed. * POP3: the (--)uidl option has been removed. It is always on. * POP3: LAST is no longer used. It was removed from POP3 in the year 1994, and it could cause mail loss when the connection was interrupted or if clients besides fetchmail polled the mailbox. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. * Kerberos IV support was removed. * The --ssl option is obsolescent and triggers a warning that users should use --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped. * The --sslproto option was removed. Two new options were added in its place, --sslmode and --sslprotocolversion. * A lot of outdated and/or unsafe-to-use material got dropped from contrib/. # CHANGES * APOP is no longer a protocol, but an authentication method. In order to use it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop. If no authentication method is specified, APOP is automatically tried if offered by the server before we resort to sending the password as clear text. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, so compiling 32-bit SPARC code should not cause any difficulties. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. |
From: Matthias A. <mat...@gm...> - 2021-04-25 09:18:29
|
Greetings, The 6.4.19 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains an LMTP bug fix, updates fetchmailconf and the Serbian translation. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.19.tar.lz)= fe4c33b9c57e1e4f341e01564259478fc8dcb28013a2f7240d726aa72f858286 SHA256(fetchmail-6.4.19.tar.xz)= cd8d11a3d103e50caa2ec64bcda6307eb3d0783a4d4dfd88e668b81aaf9d6b5f Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.19 (released 2021-04-24, 30026 LoC): # CHANGE: * fetchmailconf: properly catch and report option parsing errors # BUG FIX: * LMTP: do not try to validate the last component of a UNIX-domain LMTP socket as though it were a TCP port. Reported by Christoph Heitkamp, Gitlab issue #33. # TRANSLATION UPDATE: This fine person has contributed an updated translation: * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] --------------------------------------------------------------------------------- Happy fetches, Matthias |