fetchmail-devel — Development related discussion

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.28 is available (Spanish translation update)

[Matthias A. <mat...@gm...>]

The 6.4.28 release of fetchmail is now available from
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It updates the Spanish translation, courtesy of
Cristian Othón Martínez Vera.


DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING. NOTE that LibreSSL licensing
is incompatible with fetchmail's, as there is no GPL clause 2(b) 
exception for LibreSSL, so LibreSSL can only be used where it is
part of the operating system (one of the very few examples is OpenBSD).

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.28.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.28.tar.lz/download>

The detached GnuPG signature is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.28.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.28.tar.lz.asc/download>

The SHA256 hashes for the tarballs are:
SHA256(fetchmail-6.4.28.tar.xz)= a003f9ac88bf083a232c9451ef5f3f88473fad2c7f2822d3f7455a6d32bc3a97
SHA256(fetchmail-6.4.28.tar.lz)= 5ba7ea053772b8eafa65cd410656225ec5ced8b51e47296fb11c31a7940ad423

Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):

# TRANSLATIONS: language translations were updated by this fine person:
* es:    Cristian Othón Martínez Vera [Spanish]
--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.27 is available (bumps wolfSSL requirement, Romanian translation update)

[Matthias A. <mat...@gm...>]

The 6.4.27 release of fetchmail has been available for a month
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.
I seem not to have mailed out the announcement...

...and upgrading is not really essential from 6.4.26. Do note
that when using with wolfSSL that you pull in its security fix,
and unless you've linked wolfSSL dynamically, rebuild fetchmail.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING. NOTE that LibreSSL licensing
is incompatible with fetchmail's, as there is no GPL clause 2(b) 
exception for LibreSSL, so LibreSSL can only be used where it is
part of the operating system (one of the very few examples is OpenBSD).

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.27.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.27.tar.lz/download>

The detached GnuPG signature is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.27.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.27.tar.lz.asc/download>

The SHA256 hashes for the tarballs are:
SHA256(fetchmail-6.4.27.tar.xz)= 9e64f9e71f798cf1fe2278b84e2f5880b806527c0c0206925c086ccd179113dc
SHA256(fetchmail-6.4.27.tar.lz)= 09e3818043c40d0eeb53565ff0d9aca657ff3de3950a378f699aec984f28a335

Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.4.27 (released 2022-01-26, 31661 LoC):

# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.1.1 to pull in security fix.

# TRANSLATIONS: language translations were updated by this fine person:
* ro:    Remus-Gabriel Chelu [Romanian]

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: The 6.5.0.beta7 snapshot of fetchmail is available

[Matthias A. <mat...@gm...>]

Greetings,

The 6.5.0.beta7 release of fetchmail is now available at
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>.

The source archive is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.0.beta7.tar.xz/download>

The detached GnuPG signature is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.0.beta7.tar.xz.asc/download>

The SHA256 hash for the tarball is:
SHA256(fetchmail-6.5.0.beta7.tar.xz)= ec7c7b1af74e6cf8b4011bbe4f270796775e9db672a731bc68980124b91d0133

Here are the release notes:
=-------------------------------------------------------------------------------
fetchmail-6.5.0.beta7: (since .beta6):

# ADDITIONS:
* There is now a --forceidle feature to force idle mode even if not advertised
  in the server capabilities. This is a dangerous option, use it carefully.
  Courtesy of Eric Durand, GitLab merge request !39.
* rcfile parsing errors are now reported in more detail, and with -vv mode,
  also lead to a non-importable Python dump of what was obtained, for debugging.

=-------------------------------------------------------------------------------
fetchmail-6.4.22...27 were merged into .beta7, highlights:

# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING, unless on OpenBSD (which ships it in the base system).
  OpenSSL and wolfSSL 5 can be used.  SSL-related documentation was updated, do 
  re-read COPYING, INSTALL, README, README.packaging, README.SSL.

  Note that distribution of packages linked with LibreSSL is not feasible
  due to a missing GPLv2 clause 2(b) exception.

  fetchmail can now be used with wolfSSL 5.1.1's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.

# OPENSSL AND LICENSING NOTE:
* fetchmail 6.5.0 is compatible with OpenSSL 1.1.1 and 3.0.0.
  OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay 
  license to Apache License v2.0, which is considered incompatible with GPL v2 
  by the FSF.  For implications and details, see the file COPYING.

# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
  which runs fetchmail as a daemon with 5-minute poll intervals.
  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.

# CHANGES:
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.
* IMAP: When fetchmail is in not-authenticated state and the server volunteers 
  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail 
  must and will re-probe explicitly.)
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
  placing --sslproto tls1.2+ more prominently.
 
# SECURITY FIXES:
* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and 
  with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when 
  the server or an attacker sends a PREAUTH greeting, fetchmail used to continue 
  an unencrypted connection.  Now, log the error and abort the connection.
  --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
  --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why 
  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
  Schinzel.  The paper did not mention fetchmail.
* This allows STARTTLS in more scenarios, but also hardens against bypassing.

# BUG FIXES:
* Fetchmail no longer crashes when attempting a connection with --plugin "" or 
  --plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or 
  --plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by  
  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
  and happened when plugging memory leaks, which did not account for that the 
  envelope parameter is special when set as "no envelope". The segfault happens
  in a constant strlen(-1), triggered by trusted local input => no vulnerability.
* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is 
  given with OpenSSL 1.1.0 API compatible SSL implementations.
================================================================================

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.26 is available (Serbian translation updates, workaround added for some servers when wolfSSL 5.0.0 is used)

[Matthias A. <mat...@gm...>]

The 6.4.26 release of fetchmail is now available at the usual locations,
including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING. NOTE that LibreSSL licensing
is incompatible with fetchmail's, as there is no GPL clause 2(b) 
exception for LibreSSL, so LibreSSL can only be used where it is
part of the operating system (one of the very few examples is OpenBSD).

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.26.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.26.tar.lz/download>

The detached GnuPG signature is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.26.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.26.tar.lz.asc/download>

The SHA256 hashes for the tarballs are:
SHA256(fetchmail-6.4.26.tar.xz)= 2cc8a94bfaaf794687b2b2147786508f30da598d1ab035c345d731928ac40c9a
SHA256(fetchmail-6.4.26.tar.lz)= 18060c9a3aa4b0eb31fdf3543503313a136aac5b979d5a8fcba8e886fbd188ab

Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.4.26 (released 2021-12-26, 31661 LoC):

# FIXES:
* When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when
  receiving handshake records while still in SSL_peek(). Workaround is to read
  1 byte and cache it, then call SSL_peek() again.
  This affects only some servers. https://github.com/wolfSSL/wolfssl/issues/4593

# TRANSLATIONS: language translations were updated by this fine person:
* sr:    Мирослав Николић (Miroslav Nikolić) [Serbian]
--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.25 is available (documentation & translation updates, wolfSSL 5.0, fix to OpenSSL 1.0.2 support for Let's Encrypt Sites, configure updates)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.25 release of fetchmail is now available at 
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING. NOTE that LibreSSL licensing
is incompatible with fetchmail's, as there is no GPL clause 2(b) 
exception for LibreSSL, so LibreSSL can only be used where it is
part of the operating system (one of the very few examples is OpenBSD).

There have been several tweaks to improve the stability of the
configure script and build again.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.tar.lz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.tar.lz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.25.tar.lz)= ba94f3d9ea3e9dd55e59b7a08ca71edfdbc3e3ca1413a285aa8b08aaac923b05
SHA256(fetchmail-6.4.25.tar.xz)= 7ebefbe89172fd59f0fd8317d8743a8436f375ccdcab3900e4c3ec06a8fbf27f

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.25 (released 2021-12-10, 31653 LoC):

# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING, unless on OpenBSD (which ships it in the base system).
  OpenSSL and wolfSSL 5 can be used.  SSL-related documentation was updated, do 
  re-read COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and 
  older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is 
  publicly available from https://www.openssl.org/source/old/1.0.2/
* Some of the configure.ac fiddling MIGHT have broken cross-compilation
  again. The maintainer does not test cross-compiling fetchmail; if you
  have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
  containing your target/host libraries, or see if --with-ssl-prefix or 
  --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
  Feedback solicited on compliant systems that are before end-of-life.

# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
  contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.

# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
  which runs fetchmail as a daemon with 5-minute poll intervals.
  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.

# CHANGES:
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.

# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv:    Göran Uddeborg [Swedish]
* sq:    Besnik Bleta [Albanian]
* pl:    Jakub Bogusz [Polish]
* ja:    Takeshi Hamasaki [Japanese]
* fr:    Frédéric Marchal [French]
* eo:    Keith Bowes [Esperanto]
* cs:    Petr Pisar [Czech]

# CREDITS:
* Thanks to Corey Halpin for testing release candidates.
--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.25 release candidate #4 available (wolfSSL support also on 32-bit FreeBSD, fixup Encrypt fix, configure.ac, add systemd example)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.25 release CANDIDATE #4 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites.
It contains support for wolfSSL 5.0, blocks out LibreSSL due to
licensing issues, and overhauls the configure script for OpenSSL.

release candidate #2 adds contrib/systemd (which see)
and makes some fixes to configure.ac. It updated some translations.

release candidate #3 makes more fixes to configure.ac and
updates some translations.

release candidate #4 fixes compilation with wolfSSL on 32-bit systems,
for instance, FreeBSD i386, and mentions that wolfSSL support requires
a C99 compiler.

See COPYING, INSTALL, README.SSL, README.packaging for more details on 
the news.

Please test this thoroughly and report your findings so we can be sure that
6.4.25 will be a good release.

It has been mailed out to the translation project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc4.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc4.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.25.rc4.tar.xz)= d1ea78ea27245631908cf8fe4e821a9a534cb97e9ce68a4afd4302903df054d5

Thanks to Corey Halpin for the suggestion about license clarification
with gnu.org links (submitted through FreeBSD's Bugzilla).

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.25.rc4 (release candidate issued 2021-12-03, 31641 LoC):

# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING.  OpenSSL and wolfSSL 5 can be used.
  SSL-related documentation was updated, do re-read
  COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and 
  older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is 
  publicly available from https://www.openssl.org/source/old/1.0.2/
* Some of the configure.ac fiddling MIGHT have broken cross-compilation
  again. The maintainer does not test cross-compiling fetchmail; if you
  have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
  containing your target/host libraries, or see if --with-ssl-prefix or 
  --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
  Feedback solicited on compliant systems that are before end-of-life.

# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
  contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.

# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
  which runs fetchmail as a daemon with 5-minute poll intervals.
  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.

# CHANGES:
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.

# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv:    Göran Uddeborg [Swedish]
* sq:    Besnik Bleta [Albanian]
* pl:    Jakub Bogusz [Polish]
* ja:    Takeshi Hamasaki [Japanese]
* fr:    Frédéric Marchal [French]
* eo:    Keith Bowes [Esperanto]
* cs:    Petr Pisar [Czech]

# CREDITS:
* Thanks to Corey Halpin for testing release candidates.

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.25 release candidate #3 available (wolfSSL support, fixup Encrypt fix, fixup configure.ac, add systemd example)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.25 release CANDIDATE #3 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites.
It contains support for wolfSSL 5.0, blocks out LibreSSL due to
licensing issues, and overhauls the configure script for OpenSSL.

release candidate #2 adds contrib/systemd (which see)
and makes some fixes to configure.ac. It updated some translations.

release candidate #3 makes more fixes to configure.ac and
updates some translations.

See COPYING, INSTALL, README.SSL, README.packaging for more details on 
the news.

Please test this thoroughly and report your findings so we can be sure that
6.4.25 will be a good release.

It has been mailed out to the translation project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc3.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc3.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.25.rc3.tar.xz)= d40995068ff7c18682ef0dcae051a44ec89b6a54df4dd2e50a25d32becfb15b2

Thanks to Corey Halpin for the suggestion about license clarification
with gnu.org links (submitted through FreeBSD's Bugzilla).

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.25.rc3 (release candidate issued 2021-11-28, 31636 LoC):

# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING.  OpenSSL and wolfSSL 5 can be used.
  SSL-related documentation was updated, do re-read
  COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and 
  older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is 
  publicly available from https://www.openssl.org/source/old/1.0.2/
* Some of the configure.ac fiddling MIGHT have broken cross-compilation
  again. The maintainer does not test cross-compiling fetchmail; if you
  have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
  containing your target/host libraries, or see if --with-ssl-prefix or 
  --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
  Feedback solicited on compliant systems that are before end-of-life.

# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
  contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.

# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
  which runs fetchmail as a daemon with 5-minute poll intervals.
  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.

# CHANGES:
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.

# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv:    Göran Uddeborg [Swedish]
* sq:    Besnik Bleta [Albanian]
* pl:    Jakub Bogusz [Polish]
* ja:    Takeshi Hamasaki [Japanese]
* fr:    Frédéric Marchal [French]
* eo:    Keith Bowes [Esperanto]
* cs:    Petr Pisar [Czech]
--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.25 release candidate #2 available (wolfSSL support, fixup Encrypt fix, fixup configure.ac, add systemd example)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.25 release CANDIDATE #2 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites.
It contains support for wolfSSL 5.0, blocks out LibreSSL due to
licensing issues, and overhauls the configure script for OpenSSL.

release candidate #2 adds contrib/systemd (which see)
and makes some fixes to configure.ac.

See COPYING, INSTALL, README.SSL, README.packaging for more details on 
the news.

Please test this thoroughly and report your findings so we can be sure that
6.4.25 will be a good release.

It has been mailed out to the translation project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc2.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc2.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.25.rc2.tar.xz)= dd5aae3ae1061640a273482ae44583be70052a4fb6be257b90803cefd849410f

Thanks to Corey Halpin for the suggestion about license clarification
with gnu.org links (submitted through FreeBSD's Bugzilla).

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.25.rc2 (release candidate 2021-11-27, 31633 LoC):

# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING.  OpenSSL and wolfSSL 5 can be used.
  SSL-related documentation was updated, do re-read
  COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and 
  older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is 
  publicly available from https://www.openssl.org/source/old/1.0.2/

# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
  contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.

# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
  which runs fetchmail as a daemon with 5-minute poll intervals.
  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.

# CHANGES:
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.

# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv:    Göran Uddeborg [Swedish]
* sq:    Besnik Bleta [Albanian]
* pl:    Jakub Bogusz [Polish]
* ja:    Takeshi Hamasaki [Japanese]
* fr:    Frédéric Marchal [French]
* eo:    Keith Bowes [Esperanto]

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.25 release candidate #1 available (wolfSSL support, OpenSSL 1.0.2 workaround for Let's Encrypt fixed)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.25 release CANDIDATE #1 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It fixes up the OpenSSL 1.0.2 workaround for Let's Encrypt Sites.
It contains support for wolfSSL 5.0, blocks out LibreSSL due to
licensing issues, and overhauls the configure script for OpenSSL.

See COPYING, INSTALL, README.SSL for more details on the news.

Please test this thoroughly and report your findings so we can be sure that
6.4.25 will be a good release.

It has been mailed out to the translation project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc1.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.25.rc1.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.25.rc1.tar.xz)= 300787d19c31490fba2e8842b5f9ac13750c4db30def3222eec88b530b305161

Thanks to Corey Halpin for the suggestion about license clarification
with gnu.org links (submitted through FreeBSD's Bugzilla).

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.25.rc1 (released 2021-11-20, 31632 LoC):

# BREAKING CHANGES
* Since distributions continue patching for LibreSSL use, which cannot be
  linked legally, block out LibreSSL in configure.ac and socket.c, and
  refer to COPYING.  OpenSSL and wolfSSL 5 can be used.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. 1.0.2f was a security fix
  release, and 1.0.2u is publicly available from
  https://www.openssl.org/source/old/1.0.2/

# BUG FIXES
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
  contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.

# CHANGES
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
  see INSTALL and README.SSL. This is considered experimental.
  Feedback solicited.
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.24 is available (manual & translation updates, OpenSSL 1.0.2 workaround for Let's Encrypt sites)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.24 release of fetchmail is now available at 
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING. NOTE that LibreSSL licensing
is incompatible with fetchmail's, as there is no GPL clause 2(b) 
exception for LibreSSL.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.lz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.24.tar.lz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.24.tar.lz)= 10018eaf3930cdc3162304f507bbd063233a0dde1febb82795c910c4c2f54b64
SHA256(fetchmail-6.4.24.tar.xz)= 9c961df25cd922f539218b0b56a77e7a47778e49ed907edaa5b4941ad3b253cf

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):

# OPENSSL AND LICENSING NOTE:
> see fetchmail-6.4.22, and the file COPYING.

  Note that distribution of packages linked with LibreSSL is not feasible
  due to a missing GPLv2 clause 2(b) exception.

# COMPATIBILITY:
* Bison 3.8 dropped yytoknum altogether, breaking compilation due to a
  warning workaround. Remove the cast of yytoknum to void.  This may cause
  a compiler warning to reappear with older Bison versions.
* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3 
  certificate in its trust store because OpenSSL by default prefers the 
  untrusted certificate and fails.  Fetchmail now sets the 
  X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only).
  This is workaround #2 from the OpenSSL Blog.  For details, see both:
  https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
  https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

  NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library
  is kept up to date by a distributor or via OpenSSL support contract.
  Where this is not the case, please upgrade to a supported OpenSSL version.

# DOCUMENTATION:
* The manual page was revised after re-checking with mandoc -Tlint, aspell,
  igor. Some more revisions were made for clarity.

# TRANSLATIONS: language translations were updated by these fine people:
* sv:    Göran Uddeborg [Swedish]
* pl:    Jakub Bogusz [Polish]
* fr:    Frédéric Marchal [French]
* cs:    Petr Pisar [Czech]
* eo:    Keith Bowes [Esperanto]
* ja:    Takeshi Hamasaki [Japanese]

--------------------------------------------------------------------------------

Happy fetches,
Matthias

Re: [Fetchmail-devel] [Fetchmail-users] ANNOUNCE: The 6.4.23 release of fetchmail is available (usability fix for IMAP plugin + auth ssh, translation updates)

[Matthias A. <mat...@gm...>]

Am 31.10.21 um 15:02 schrieb Gene Heskett:
> On Sunday 31 October 2021 08:14:20 Matthias Andree wrote:
>
>> Greetings,
>>
>> The 6.4.23 release of fetchmail is now available at
>> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.
>>
> Sourceforge is still serving up 6.4.22 as the latest.
>

Hi Gene,

Right, I forgot to mark 6.4.23 as the one. Fixed now.

Thanks, Gene!


Additional Note to packagers and developers, if you are trying to
rebuild the parser files with a newer bison 3.8.x, from Git, or due to a
rebuild-everything policy, you may need to patch out one line (void)
from rcfile_y.y to avoid compilation failures.

Fixed in Git but not yet in 6.4.23
https://gitlab.com/fetchmail/fetchmail/-/commit/595d6b354aeef9db4f106e37fe5cccc4b80ec087
(I saw the CI pipe on GitLab failing after I'd merged things forward to
6.5.x, and apparently Debian testing updated Bison.)

Basically, this line #464 of rcfile_y.y needs to go (and may cause a
compiler warning about unused...)

    |(void)yytoknum; /* work around compiler warning */ |

Regards,
Matthias

[Fetchmail-devel] ANNOUNCE: The 6.5.0.beta5 snapshot of fetchmail is available

[Matthias A. <mat...@gm...>]

Greetings,

The 6.5.0.beta5 release of fetchmail is now available at the usual locations,
including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/>

The source archive has been uploaded and will shortly be available from:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz/download>

This is a deep link to the GnuPG signature:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz.asc/download>

This brings the 6.5.0 beta in line with the recent 6.4 developments.

This is the change history from Git:
================================================================================
* b26f8b3b 2021-10-31 | po/: record state (HEAD -> legacy_6x, tag: SNAPSHOT_6-5-0-beta6, tag: 6.5.0.beta6)
*   a3407a04 2021-10-31 | Merge branch 'legacy_64' into legacy_6x (sourceforge/legacy_6x, origin/legacy_6x)
|\  
| * 86533e67 2021-10-31 | website: announce 6.4.23 release. (sourceforge/legacy_64, origin/legacy_64, legacy_64)
| * ce6c06dc 2021-10-31 | po/: Update German translation and record ja/sr updates. (tag: RELEASE_6-4-23)
| * 7183296d 2021-10-31 | Get ready for 6.4.23.
| * 56e8f9b6 2021-10-31 | IMAP: improve STARTTLS error message for ssh-plugin case
| * b93af8e8 2021-10-31 | NEWS: mention Мирослав Николић/Miroslav Nikolić as translator.
| * 0b90c974 2021-10-10 | Update <sr> Serbian translation to fetchmail-6.4.22.rc1 [Мирослав Николић]
| * 06113cae 2021-09-20 | NEWS: Mention Takeshi Hamasaki as translator.
* | fcb4ce6e 2021-09-20 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 47a2e9a0 2021-09-18 | Update <ja> Japanese translation to fetchmail 6.4.22.rc1 [Takeshi Hamasaki]
* | 298e7b79 2021-09-13 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 84f2d310 2021-09-13 | Get ready for 6.4.22. (tag: RELEASE_6-4-22)
| * 8eed56c2 2021-09-13 | Note OpenSSL 3.0.0 support and licensing change.
| * fded2be1 2021-09-01 | de.po: Fix typo in German translation
* | de625bd3 2021-09-13 | save
* | 53976bfd 2021-09-01 | CMake: check for vsyslog sym -> define HAVE_VSYSLOG
* | 647a75c5 2021-09-01 | Fix compilation in !HAVE_VSYSLOG path,
* | e433536a 2021-09-01 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 02693b4b 2021-09-01 | NEWS: fix spelink of Stefan Eßer's last name
| * 28490560 2021-09-01 | NEWS: Credit Petr Pisar for Czech translation.
| * 34656a01 2021-08-31 | IMAP: fix error code when LOGIN fails
| * 431ccf32 2021-08-30 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg]
| * 1a86e2c9 2021-08-29 | Update <cs> Czech translation to fetchmail 6.4.22.rc1 [Petr Pisar]
* | 921ecd0c 2021-08-30 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 4601caf3 2021-08-30 | website: announce 6.4.22.rc3
| * c863e9db 2021-08-29 | update SA-2021-02
| * 5b31e6e3 2021-08-29 | Get ready for 6.4.22.rc3. (tag: SNAPSHOT_6-4-22-rc3)
| * 5606d737 2021-08-29 | NEWS: Credit RC testers.
| * bdedbbd7 2021-08-29 | NEWS: credit translators.
| * 87af2407 2021-08-28 | Update <sq> Albanian translation to fetchmail-6.4.22.rc1 [Besnik Bleta]
| * 5d83eb47 2021-08-28 | Update <pl> Polish translation to fetchmail 6.4.22.rc1 [Jakub Bogusz]
| * d33bc06d 2021-08-29 | Fix IMAP protocol confusion on 2nd and subsequent polls.
| * a5a961e7 2021-08-28 | socket.c: invalid sslproto no longer abort()s
| * 79956228 2021-08-28 | Convert to UTF-8.
| * 8ca5b306 2021-08-28 | declare .txt to be UTF-8
| * 83341013 2021-08-28 | upload .htaccess
| * 36b4c0bb 2021-08-27 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg]
* | 358d2b0b 2021-08-28 | bump version to -beta6
* | 17853d32 2021-08-28 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 5f976705 2021-08-27 | Get ready for 6.4.22.rc2. (tag: SNAPSHOT_6-4-22-rc2)
| * c7c6055b 2021-08-27 | Credit fr/eo translators.
| * 521bcb6b 2021-08-27 | Update <fr> French translation to fetchmail-6.4.22.rc1 [Frédéric Marchal]
| * 1a293bb7 2021-08-27 | Update <eo> Esperanto translation to fetchmail 6.4.22.rc1 [Keith Bowes]
| * 616e8c70 2021-08-27 | imap.c, pop3.c: fix protocol regression of 6.4.22.rc1
| * 2a2150f4 2021-08-27 | etrn.c, odmr.c, pop2.c: declare NULL con-/destructors
| * 74771392 2021-08-27 | struct method: introduce con-/destructors
| * ec8e9e35 2021-08-27 | NEWS: fix typo.
| * 452d2c59 2021-08-27 | README.SSL-SERVER: require TLS 1.2/1.3
| * 44431fed 2021-08-27 | get ready for 6.4.22.rc1. (tag: SNAPSHOT_6-4-22-rc1)
| * 4b736f0a 2021-08-26 | Doxyfile: updates
| * 8363b7b7 2021-08-26 | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02
| * 5cca5d1e 2021-08-26 | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"
| * 27e6d102 2021-08-26 | po/de.po: Update German translation.
| * e12677b1 2021-08-26 | Misc POP3 cleanups.
| * 3837f0e2 2021-08-26 | SECURITY: imap.c, pop3.c: STARTTLS drops state
| * bb220dc1 2021-08-26 | NEWS: reword 6.4.21 regression fix to include --syslog
| * 4df94d59 2021-08-26 | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl
| * 5b22b38d 2021-08-26 | sanity check well-known POP3/IMAP ports vs. SSL
| * 9ef9cd28 2021-08-26 | lock.c: fix unused-value warning in unlockit().
| * f5644ba2 2021-08-26 | POP3: make CAPA parser caseblind.
| * a0b9f2fb 2021-08-26 | xmalloc.h: Add GCC malloc attribute to xmalloc().
| * 46a82e13 2021-08-26 | imap.c, report.c: remove or comment dead stores.
| * 8517491d 2021-08-26 | SECURITY: POP3: changes for --auth ssh and RPA
| * b11d834a 2021-08-26 | NEWS: Deprecate RPA and other nonstandard auth' schemes.
| * 77b3f56c 2021-08-26 | socket.c: plugin/plugout SIGSEGV and memleak fixes
| * 8fae5227 2021-08-26 | IMAP: record server's CAPABILITY data in pre-auth state.
| * 1b20ea02 2021-08-26 | IMAP: report 'upgrade to TLS succeeded' before CAPA probe
| * c78cc2fc 2021-08-26 | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.
| * 39818023 2021-08-26 | fetchmail.c: fix typo in comment.
| * 0bd7f01f 2021-08-26 | IMAP: log error if --auth external requested but server does not advertise it.
| * 771a80b7 2021-08-26 | imap.c: one FIXME for command continuation requests
| * a2fcf70b 2021-08-26 | IMAP: two more AUTHENTICATE EXTERNAL fixes
| * 8001d09a 2021-08-26 | IMAP: fix base64 length calc. for AUTH=EXTERNAL
| * 84580ab8 2021-08-26 | IMAP: don't send * after failed AUTHENTICATE EXTERNAL
| * 7f0acc8f 2021-08-26 | IMAP: rename misnamed function and variable
| * 5e9e3c86 2021-08-26 | Bump version to 6.4.22.rc1
| * 7ed2377c 2021-08-26 | manpage: Fix indentation under --sslproto
| * e7199006 2021-08-26 | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS
| * b82c3ccb 2021-08-26 | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed
* | 9a617868 2021-08-09 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 3aad706d 2021-08-09 | 6.5.0.beta5: mention regression fix and idle timeout.
* | cf4bc0c5 2021-08-09 | Merge branch 'legacy_64' into legacy_6x
|/  
* f8377e3c 2021-08-09 | Announce 6.4.21 and 6.5.0.beta5.
================================================================================

[Fetchmail-devel] ANNOUNCE: The 6.5.0.beta6 snapshot of fetchmail is available

[Matthias A. <mat...@gm...>]

Greetings,

Sorry - first announcement slipped with the wrong version tag (beta5 
instead of beta6).

The 6.5.0.beta6 release of fetchmail is now available at the usual locations,
including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/>

The source archive has been uploaded and will shortly be available from:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta6.tar.xz/download>

This is a deep link to the GnuPG signature:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta6.tar.xz.asc/download>

This brings the 6.5.0 beta in line with the recent 6.4 developments.

This is the change history from Git:
================================================================================
* b26f8b3b 2021-10-31 | po/: record state (HEAD -> legacy_6x, tag: SNAPSHOT_6-5-0-beta6, tag: 6.5.0.beta6)
*   a3407a04 2021-10-31 | Merge branch 'legacy_64' into legacy_6x (sourceforge/legacy_6x, origin/legacy_6x)
|\  
| * 86533e67 2021-10-31 | website: announce 6.4.23 release. (sourceforge/legacy_64, origin/legacy_64, legacy_64)
| * ce6c06dc 2021-10-31 | po/: Update German translation and record ja/sr updates. (tag: RELEASE_6-4-23)
| * 7183296d 2021-10-31 | Get ready for 6.4.23.
| * 56e8f9b6 2021-10-31 | IMAP: improve STARTTLS error message for ssh-plugin case
| * b93af8e8 2021-10-31 | NEWS: mention Мирослав Николић/Miroslav Nikolić as translator.
| * 0b90c974 2021-10-10 | Update <sr> Serbian translation to fetchmail-6.4.22.rc1 [Мирослав Николић]
| * 06113cae 2021-09-20 | NEWS: Mention Takeshi Hamasaki as translator.
* | fcb4ce6e 2021-09-20 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 47a2e9a0 2021-09-18 | Update <ja> Japanese translation to fetchmail 6.4.22.rc1 [Takeshi Hamasaki]
* | 298e7b79 2021-09-13 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 84f2d310 2021-09-13 | Get ready for 6.4.22. (tag: RELEASE_6-4-22)
| * 8eed56c2 2021-09-13 | Note OpenSSL 3.0.0 support and licensing change.
| * fded2be1 2021-09-01 | de.po: Fix typo in German translation
* | de625bd3 2021-09-13 | save
* | 53976bfd 2021-09-01 | CMake: check for vsyslog sym -> define HAVE_VSYSLOG
* | 647a75c5 2021-09-01 | Fix compilation in !HAVE_VSYSLOG path,
* | e433536a 2021-09-01 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 02693b4b 2021-09-01 | NEWS: fix spelink of Stefan Eßer's last name
| * 28490560 2021-09-01 | NEWS: Credit Petr Pisar for Czech translation.
| * 34656a01 2021-08-31 | IMAP: fix error code when LOGIN fails
| * 431ccf32 2021-08-30 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg]
| * 1a86e2c9 2021-08-29 | Update <cs> Czech translation to fetchmail 6.4.22.rc1 [Petr Pisar]
* | 921ecd0c 2021-08-30 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 4601caf3 2021-08-30 | website: announce 6.4.22.rc3
| * c863e9db 2021-08-29 | update SA-2021-02
| * 5b31e6e3 2021-08-29 | Get ready for 6.4.22.rc3. (tag: SNAPSHOT_6-4-22-rc3)
| * 5606d737 2021-08-29 | NEWS: Credit RC testers.
| * bdedbbd7 2021-08-29 | NEWS: credit translators.
| * 87af2407 2021-08-28 | Update <sq> Albanian translation to fetchmail-6.4.22.rc1 [Besnik Bleta]
| * 5d83eb47 2021-08-28 | Update <pl> Polish translation to fetchmail 6.4.22.rc1 [Jakub Bogusz]
| * d33bc06d 2021-08-29 | Fix IMAP protocol confusion on 2nd and subsequent polls.
| * a5a961e7 2021-08-28 | socket.c: invalid sslproto no longer abort()s
| * 79956228 2021-08-28 | Convert to UTF-8.
| * 8ca5b306 2021-08-28 | declare .txt to be UTF-8
| * 83341013 2021-08-28 | upload .htaccess
| * 36b4c0bb 2021-08-27 | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 [Göran Uddeborg]
* | 358d2b0b 2021-08-28 | bump version to -beta6
* | 17853d32 2021-08-28 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 5f976705 2021-08-27 | Get ready for 6.4.22.rc2. (tag: SNAPSHOT_6-4-22-rc2)
| * c7c6055b 2021-08-27 | Credit fr/eo translators.
| * 521bcb6b 2021-08-27 | Update <fr> French translation to fetchmail-6.4.22.rc1 [Frédéric Marchal]
| * 1a293bb7 2021-08-27 | Update <eo> Esperanto translation to fetchmail 6.4.22.rc1 [Keith Bowes]
| * 616e8c70 2021-08-27 | imap.c, pop3.c: fix protocol regression of 6.4.22.rc1
| * 2a2150f4 2021-08-27 | etrn.c, odmr.c, pop2.c: declare NULL con-/destructors
| * 74771392 2021-08-27 | struct method: introduce con-/destructors
| * ec8e9e35 2021-08-27 | NEWS: fix typo.
| * 452d2c59 2021-08-27 | README.SSL-SERVER: require TLS 1.2/1.3
| * 44431fed 2021-08-27 | get ready for 6.4.22.rc1. (tag: SNAPSHOT_6-4-22-rc1)
| * 4b736f0a 2021-08-26 | Doxyfile: updates
| * 8363b7b7 2021-08-26 | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02
| * 5cca5d1e 2021-08-26 | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"
| * 27e6d102 2021-08-26 | po/de.po: Update German translation.
| * e12677b1 2021-08-26 | Misc POP3 cleanups.
| * 3837f0e2 2021-08-26 | SECURITY: imap.c, pop3.c: STARTTLS drops state
| * bb220dc1 2021-08-26 | NEWS: reword 6.4.21 regression fix to include --syslog
| * 4df94d59 2021-08-26 | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl
| * 5b22b38d 2021-08-26 | sanity check well-known POP3/IMAP ports vs. SSL
| * 9ef9cd28 2021-08-26 | lock.c: fix unused-value warning in unlockit().
| * f5644ba2 2021-08-26 | POP3: make CAPA parser caseblind.
| * a0b9f2fb 2021-08-26 | xmalloc.h: Add GCC malloc attribute to xmalloc().
| * 46a82e13 2021-08-26 | imap.c, report.c: remove or comment dead stores.
| * 8517491d 2021-08-26 | SECURITY: POP3: changes for --auth ssh and RPA
| * b11d834a 2021-08-26 | NEWS: Deprecate RPA and other nonstandard auth' schemes.
| * 77b3f56c 2021-08-26 | socket.c: plugin/plugout SIGSEGV and memleak fixes
| * 8fae5227 2021-08-26 | IMAP: record server's CAPABILITY data in pre-auth state.
| * 1b20ea02 2021-08-26 | IMAP: report 'upgrade to TLS succeeded' before CAPA probe
| * c78cc2fc 2021-08-26 | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.
| * 39818023 2021-08-26 | fetchmail.c: fix typo in comment.
| * 0bd7f01f 2021-08-26 | IMAP: log error if --auth external requested but server does not advertise it.
| * 771a80b7 2021-08-26 | imap.c: one FIXME for command continuation requests
| * a2fcf70b 2021-08-26 | IMAP: two more AUTHENTICATE EXTERNAL fixes
| * 8001d09a 2021-08-26 | IMAP: fix base64 length calc. for AUTH=EXTERNAL
| * 84580ab8 2021-08-26 | IMAP: don't send * after failed AUTHENTICATE EXTERNAL
| * 7f0acc8f 2021-08-26 | IMAP: rename misnamed function and variable
| * 5e9e3c86 2021-08-26 | Bump version to 6.4.22.rc1
| * 7ed2377c 2021-08-26 | manpage: Fix indentation under --sslproto
| * e7199006 2021-08-26 | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS
| * b82c3ccb 2021-08-26 | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed
* | 9a617868 2021-08-09 | Merge branch 'legacy_64' into legacy_6x
|\| 
| * 3aad706d 2021-08-09 | 6.5.0.beta5: mention regression fix and idle timeout.
* | cf4bc0c5 2021-08-09 | Merge branch 'legacy_64' into legacy_6x
|/  
* f8377e3c 2021-08-09 | Announce 6.4.21 and 6.5.0.beta5.
================================================================================

[Fetchmail-devel] ANNOUNCE: The 6.4.23 release of fetchmail is available (usability fix for IMAP plugin + auth ssh, translation updates)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.23 release of fetchmail is now available at 
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It updates the Japanese and Serbian translations and improves an error 
message around STARTTLS with IMAP --auth ssh and --plugin.

Note the tarball was re-rolled to include the German translation update,
missed in the first upload.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.lz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.23.tar.lz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.23.tar.lz)= 0fa3b57f05ec38b3ecb58d2221223b6a4da6e30dd857af37b49798c3e84a71e5
SHA256(fetchmail-6.4.23.tar.xz)= 5f7a5e13731431134a2ca535bbced7adc666d3aeb93169a0830945d91f492300

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.23 (released 2021-10-31, 30206 LoC):

# USABILITY:
* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
  - no matter its contents - and that set auth ssh), change the STARTTLS 
  error message to suggest sslproto '' instead.
  This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
  Fixes Redhat Bugzilla 2008160. Fixes GitLab #39.

# TRANSLATIONS: language translations were updated by these fine people:
* ja:    Takeshi Hamasaki [Japanese]
* sr:	 Мирослав Николић (Miroslav Nikolić) [Serbian]

--------------------------------------------------------------------------------

Happy fetches,
Matthias

Re: [Fetchmail-devel] ANNOUNCE: The 6.4.22 release - tarballs re-rolled to include documentation updates, new SHA256 checksums

[Matthias A. <mat...@gm...>]

Note that I had to re-roll the tarballs after missing a few 
documentation updates. The original tarballs were only available
for a few minutes.

The updated checksums are these:
SHA256(fetchmail-6.4.22.tar.lz)= c704b2af5d083550a0b0f1d9af7284afe85247cba08f4e268f429db4b3d0c42a
SHA256(fetchmail-6.4.22.tar.xz)= cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84

Re: [Fetchmail-devel] ANNOUNCE: The 6.4.22 release - tarballs re-rolled to include documentation updates, new SHA256 checksums

[Matthias A. <mat...@gm...>]

Note that I had to re-roll the tarballs after missing a few
documentation updates. The original tarballs were only available
for a few minutes.

The updated checksums are these:
SHA256(fetchmail-6.4.22.tar.lz)= c704b2af5d083550a0b0f1d9af7284afe85247cba08f4e268f429db4b3d0c42a
SHA256(fetchmail-6.4.22.tar.xz)= cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84

[Fetchmail-devel] ANNOUNCE: The 6.4.22 release of fetchmail is available (security fixes for CVE-2021-39272, crash fixes, other changes)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.22 release of fetchmail is now available at 
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It contains the security fix for CVE-2021-39272 of 6.4.21 and earlier,
fixes some crashes that can be triggered by local configurations,
and makes some fixes to authentication and other changes, details below.

DISTRIBUTORS please note OpenSSL's licensing change for OpenSSL 3,
and you may want to review COPYING.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.xz.asc/download>
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.tar.lz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.22.tar.lz)= 5e596136660cca9b71f73c0f6fe79cc76db7db2b2dc33c08ad25241ed0cba368
SHA256(fetchmail-6.4.22.tar.xz)= 104379499a1346330a6799f1e20c790211dd07835cb1af5668dfd25de71357f4

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.22 (released 2021-09-13, 30201 LoC):

# OPENSSL AND LICENSING NOTE:
* fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
  OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay 
  license to Apache License v2.0, which is considered incompatible with GPL v2 
  by the FSF.  For implications and details, see the file COPYING.

# SECURITY FIXES:
* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and 
  with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when 
  the server or an attacker sends a PREAUTH greeting, fetchmail used to continue 
  an unencrypted connection.  Now, log the error and abort the connection.
  --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
  --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why 
  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
  Schinzel.  The paper did not mention fetchmail.

* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
  negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side 
  LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with 
  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".

# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
  tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send 
  a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server 
  advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 
  has not supported and does not support the separate challenge/response with 
  command continuation)
* On IMAP connections, when --auth external is requested but not advertised by 
  the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or 
  --plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or 
  --plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by  
  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
  and happened when plugging memory leaks, which did not account for that the 
  envelope parameter is special when set as "no envelope". The segfault happens
  in a constant strlen(-1), triggered by trusted local input => no vulnerability.
* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is 
  given with OpenSSL 1.1.0 API compatible SSL implementations.

# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers 
  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail 
  must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
  do not match, emit a warning and continue. Closes Gitlab #31.
  (cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
  placing --sslproto tls1.2+ more prominently.
  The defaults shall not change between 6.4.X releases for compatibility.

# TRANSLATIONS: language translations were updated by these fine people:
* sq:    Besnik Bleta [Albanian]
* cs:    Petr Pisar [Czech]
* eo:    Keith Bowes [Esperanto]
* fr:    Frédéric Marchal [French]
* pl:    Jakub Bogusz [Polish]
* sv:    Göran Uddeborg [Swedish]

# CREDITS:
* Thanks for testing the release candidates and bug reports to:
  Corey Halpin, Stefan Eßer.

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.22 release candidate #3 available (security and crash fixes, IMAP protocol fixes)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.22 release CANDIDATE #3 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It contains security fixes for CVE-2021-39272 and fixes up several protocol
violations along the way, fixes some configuration-based crashes (SIGSEGV) and
updates the documentation.

This version has quite extensive changes for a patchlevel release.

rc2 fixes an IMAP protocol regression of rc1 that made it unable to 
download e-mail via IMAP in many circumstances. Reported by Corey 
Halpin.

rc3 fixes an IMAP protocol regression that struck when a server was not 
the very first server in a run. Reported by Stefan Esser.

Note that security recommendations in README.SSL were changed to achieve higher
security from the configuration. Built-in defaults do not change.

Please test this thoroughly and report your findings so we can be sure that
6.4.22 will be a good release.  It has been mailed out to the translation
project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc3.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc3.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.22.rc3.tar.xz)= 1087a1c8ef8053f2deb97c17e2ab1a91fd3dd40fe275c7d6da0693bb1218fe13


Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.22 (not yet released):

# SECURITY FIXES:
* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that 
  fetchmail is to enforce TLS, and when the server or an attacker sends 
  a PREAUTH greeting, fetchmail used to continue an unencrypted connection.
  Now, log the error and abort the connection.
    Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
    Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why 
  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
  Schinzel.  The paper did not mention fetchmail.
* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
  negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side 
  LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with 
  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".

# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
  tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send 
  a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server 
  advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 
  has not supported and does not support the separate challenge/response with 
  command continuation)
* On IMAP connections, when --auth external is requested but not advertised by 
  the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or 
  --plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or 
  --plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by  
  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
  and happened when plugging memory leaks, which did not account for that the 
  envelope parameter is special when set as "no envelope". The segfault happens
  in a constant strlen(-1), triggered by trusted local input => no vulnerability.
* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is 
  given with OpenSSL 1.1.0 API compatible SSL implementations.

# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers 
  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail 
  must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
  do not match, emit a warning and continue. Closes Gitlab #31.
  (cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
  placing --sslproto tls1.2+ more prominently.
  The defaults shall not change between 6.4.X releases for compatibility.

# TRANSLATIONS: language translations were updated by these fine people:
* sq:    Besnik Bleta [Albanian]
* eo:    Keith Bowes [Esperanto]
* fr:    Frédéric Marchal [French]
* pl:    Jakub Bogusz [Polish]
* sv:    Göran Uddeborg [Swedish]

# CREDITS:
* Thanks for testing the release candidates and bug reports to:
  Corey Halpin, Stefan Esser.
--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.22 release candidate available (security and crash fixes)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.22 release CANDIDATE #2 of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It contains security fixes for CVE-2021-39272 and fixes up several protocol
violations along the way, fixes some configuration-based crashes (SIGSEGV) and
updates the documentation.

This version has quite extensive changes for a patchlevel release.

rc2 fixes an IMAP protocol regression of rc1 that made it unable to 
download e-mail via IMAP in many circumstances.

Note that security recommendations in README.SSL were changed to achieve higher
security from the configuration. Built-in defaults do not change.

Please test this thoroughly and report your findings so we can be sure that
6.4.22 will be a good release.  It has been mailed out to the translation
project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc2.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc2.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.22.rc2.tar.xz)= 1bd3f25e221ea01de4ba57447b7464f8c5f07f0f107701583b9cdd85740da276


Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.22 (not yet released):

# SECURITY FIXES:
* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that 
  fetchmail is to enforce TLS, and when the server or an attacker sends 
  a PREAUTH greeting, fetchmail used to continue an unencrypted connection.
  Now, log the error and abort the connection.
    Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
    Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why 
  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
  Schinzel.  The paper did not mention fetchmail.
* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
  negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side 
  LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with 
  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".

# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
  tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send 
  a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server 
  advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 
  has not supported and does not support the separate challenge/response with 
  command continuation)
* On IMAP connections, when --auth external is requested but not advertised by 
  the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or 
  --plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or 
  --plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by  
  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
  and happened when plugging memory leaks, which did not account for that the 
  envelope parameter is special when set as "no envelope". The segfault happens
  in a constant strlen(-1), triggered by trusted local input => no vulnerability.

# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers 
  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail 
  must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
  do not match, emit a warning and continue. Closes Gitlab #31.
  (cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
  placing --sslproto tls1.2+ more prominently.
  The defaults shall not change between 6.4.X releases for compatibility.

# TRANSLATIONS: These language translations were updated by these fine people:
* fr:    Frédéric Marchal [French]
* eo:    Keith Bowes [Esperanto]

--------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] WITHDRAWAL: fetchmail 6.4.22.rc1 release candidate #1

[Matthias A. <mat...@gm...>]

Greetings,

I am withdrawing 6.4.22.rc1 and ask that nobody installs it anew if IMAP
fetches are desired.  Setups that purely use POP3 seem fine for now, and
if your setup can fetch mail from all your configurations, you need not
downgrade.

Sorry about this, but that is why there are release candidates, some
turn out to be unworthy of promotion to a release.

I am moving 6.4.22.rc1 around on sourceforge from branch_6.4/ to
OldFiles/ so that people missing this announcement don't find it at the
place announced earlier.

Withdrawal reason: I received and confirmed a regression report against
fetchmail's IMAP client, and 6.4.22.rc1 misidentifies IMAP protocol
versions and in many situations tries IMAP4 commands on IMAP2 and
IMAP4rev1 servers, which leads to poll errors without any mail
downloaded.  This is a side effect from the "reset session data", not
covered in my testing scenarios.

-ma

[Fetchmail-devel] ANNOUNCE: fetchmail security announcement 2021-02 (CVE-2021-39272) - TLS bypass vulnerabilities ("NO STARTTLS")

[Matthias A. <mat...@gm...>]

fetchmail-SA-2021-02: STARTTLS session encryption bypassing

Topics:		fetchmail fails to enforce an encrypted connection

Author:		Matthias Andree
Version:	0.9
Announced:	2021-08-26
Type:		failure to enforce configured security policy
Impact:		fetchmail continues an unencrypted connection,
		thus reading unauthenticated input and sending
		information unencrypted over its transport
Danger:		medium
Acknowledgment:	Andrew C. Aitchison for reporting this against fetchmail
		Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
		Schinzel for their Usenix Security 21 paper NO STARTTLS

CVE Name:	CVE-2021-39272
URL:		https://www.fetchmail.info/fetchmail-SA-2021-02.txt
Project URL:	https://www.fetchmail.info/

Affects:	- fetchmail releases up to and including 6.4.21

Not affected:	- fetchmail releases 6.4.22 and newer

Corrected in:	2021-08-26	fetchmail 6.4.22.rc1 release candidate
		TBD		fetchmail 6.4.22 release tarball

0. History of this announcement
===============================

2021-08-10	Andrew C. Aitchison contacts fetchmail maintainer with pointer 
		to Usenix Security 21 paper by Damian Poddebniak et al.
2021-08-16	a simplified recommendation to configure --ssl where possible
		(see section 3b. below) to mitigate impact was sent to the 
		 fetchmail mailing lists
2021-08-26 0.9	initial release along with fetchmail 6.4.22.rc1


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

fetchmail permits requiring that an IMAP or POP3 protocol exchange uses 
a TLS-encrypted transport, in 6.4 by way of an --sslproto auto or similar 
configuration.
  This TLS encryption can be established either as Implicit TLS connection,
which negotiates TLS first, or as a STARTTLS which starts as cleartext
protocol exchange that gets upgraded in the same TCP stream to TLS.

Without special configuration, fetchmail would opportunistically try to
upgrade cleartext connections to TLS by STARTTLS, but allow cleartext protocol 
exchange, which is documented.

IMAP also supports sessions that start in "authenticated state" (PREAUTH).
In this latter case, IMAP (RFC-3501) does not permit sending STARTTLS 
negotiations, which are only permissible in not-authenticated state.
  In such a combination of circumstances (1. IMAP protocol in use, 2. the 
server greets with PREAUTH, announcing authenticated state, 3. the user 
configured TLS mandatory, 4. the user did not configure "ssl" mode that uses 
separate ports for Implicit SSL/TLS), fetchmail 6.4.21 and older would
not encrypt the session.

There was a similar situation for POP3: if the remote name contained 
@compuserve.com, and if the server supported a non-standard "AUTH" command 
without mechanism argument and if it responded with a list that contained "RPA" 
(also in mixed or lower case), then fetchmail would not attempt STARTTLS.  
While the password itself is then protected by the RPA scheme (which employs 
MD5 however), fetchmail 6.4.21 and older would not encrypt the session.

Also, a configuration containing --auth ssh (meaning that fetchmail should not 
authenticate, on the assumption that the session will be pre-authenticated for 
instance through SSH running a mail server with --plugin, or TLS client 
certificates), would also defeat STARTTLS as result of an implementation defect.
This affected both POP3 and IMAP.


3. Solutions
============

PREFACE: distributors backporting fixes to old versions are asked to diff the 
manual page and review the changes, and the NEWS file, because the manual page 
has been updated with newer recommendations.  The same backport recommendations 
hold for the README.SSL file.


3a. Install fetchmail 6.4.22 or newer.

The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.

The Git-based source code repository is currently published via
https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_64 (primary)
https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/ (copy)


3b. Where the IMAP or POP3 server supports this form of access,
fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it 
will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and 
negotiate TLS without prior clear-text protocol exchange.
  Also, --ssl can be given on the command line, which switches all
configured server statements to this Implicit TLS mode.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2021 by Matthias Andree, <mat...@gm...>.
Some rights reserved.

© Copyright 2021 by Matthias Andree. This file is licensed under CC
BY-ND 4.0. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/4.0/

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2021-02

[Fetchmail-devel] ANNOUNCE: fetchmail 6.4.22 release candidate available (security and crash fixes)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.4.22 release CANDIDATE of fetchmail is now available at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

It contains security fixes for CVE-2021-39272 and fixes up several protocol
violations along the way, fixes some configuration-based crashes (SIGSEGV) and
updates the documentation.

This version has quite extensive changes for a patchlevel release.

Note that security recommendations in README.SSL were changed to achieve higher
security from the configuration. Built-in defaults do not change.

Please test this thoroughly and report your findings so we can be sure that
6.4.22 will be a good release.  It has been mailed out to the translation
project to solicit translation updates.

The source archive is available at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc1.tar.xz/download>

Detached GnuPG signatures for the respective tarballs are at:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.22.rc1.tar.xz.asc/download>

SHA256 hash values for the tarballs:
SHA256(fetchmail-6.4.22.rc1.tar.xz)= 96634167a0c21673abaa8c76e669fb5799266c19f784c03a760c2048681cd3b3

Here are the release notes:

---------------------------------------------------------------------------------
fetchmail-6.4.22 (not yet released):

# SECURITY FIXES:
* On IMAP connections, without --ssl and with nonempty --sslproto, meaning that 
  fetchmail is to enforce TLS, and when the server or an attacker sends 
  a PREAUTH greeting, fetchmail used to continue an unencrypted connection.
  Now, log the error and abort the connection.
    Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
    Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why 
  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email 
  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian 
  Schinzel.  The paper did not mention fetchmail.
* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS 
  negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side 
  LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with 
  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".

# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the 
  tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send 
  a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server 
  advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 
  has not supported and does not support the separate challenge/response with 
  command continuation)
* On IMAP connections, When --auth external is requested but not advertised by 
  the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or 
  --plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or 
  --plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by  
  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
  and happened when plugging memory leaks, which did not account for that the 
  envelope parameter is special when set as "no envelope". The segfault happens
  in a constant strlen(-1), triggered by trusted local input => no vulnerability.

# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers 
  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail 
  must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
  do not match, emit a warning and continue. Closes Gitlab #31.
  (cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
  placing --sslproto tls1.2+ more prominently.
  The defaults shall not change between 6.4.X releases for compatibility.
---------------------------------------------------------------------------------

Happy fetches,
Matthias

[Fetchmail-devel] SECURITY ANNOUNCE (INTERIM): fetchmail users should configure --ssl wherever available, and also require at least TLS1.2

[Matthias A. <mat...@gm...>]

Greetings,

all released fetchmail versions to date (up to and including 6.4.21) 
were found susceptible to some sorts of attacks against STARTTLS (IMAP) 
or STLS (POP3), which can lead to a session that remains unencrypted 
even though --sslproto tls1.2+ or similar configurations require 
encryption, and worst case exposing the user's login credentials and 
also e-mail when the configuration tells otherwise.

The solution in fetchmail code requires thorough reviews and
changes that will take more time.  Remember that fetchmail is 
a volunteer spare-time project.

The details of the implementation and concept flaws shall be disclosed 
later in the formal fetchmail security announcement 2021-02 (not yet 
published).

MITIGATING THE IMPACT: 

Proper configuration for Implicit TLS can mitigate the impact for many 
users.  I am already announcing such configuration changes below:

------------------------------------------------------------------------
Everyone whose server supports "Implicit TLS", meaning TLS on 
a dedicated imaps port (TCP port 993) or pop3s port (TCP port 995), 
should reconfigure fetchmail to enable this option (ssl or --ssl) 
permanently.
This can be achieved in two ways, either of which alone is sufficient:

- on the command line, add --ssl), which will affect all servers 
  included in the poll (= all poll statements from the rcfile, or all 
  servers mentioned on the same command line).

- in the rcfile, by adding the word "ssl" without quotes after each
  configuration stanza for a user description.

After making the change, test your new configuration before enabling 
unattended operation.


Future directions: 1. The Internet Engineering Task Force (IETF) has 
proposed standards that consider both STARTTLS obsolete (RFC-8314) and 
deprecate TLS 1.1 and earlier (including all SSL versions) (RFC-8997).

2. I may make Implicit TLS the default in future fetchmail releases,
and promise to at least bump the minor version to >= 6.5.0 in that case.
------------------------------------------------------------------------

I will also add an *unrelated* recommendation while we are at it and 
users are suggested to edit their configurations anyways:

I suggest that everyone configures fetchmail to negotiate at least TLS 
v1.2 if supported by the server, or at least TLS v1.2, which can happen 
on the command line through --sslproto TLS1.2+ or in the rcfile by 
adding sslproto TLS1.2+ in each stanza after each user statement.

Where possible, meaning server-side support and support by the local 
OpenSSL library version (for instance, 1.1.1 is good enough), fetchmail 
can also be configured to require TLS v1.3 or newer instead, in that 
case, use --sslproto TLS1.3+ on the command line or sslproto TLS1.3+ in 
the rcfile.


future direction: fetchmail 6.5 and newer (not yet released and several 
weeks to months out) will make TLS 1.2 the minimum required version, and 
will also require an OpenSSL library that supports TLS 1.3.
------------------------------------------------------------------------


Note that the changes proposed above, when successfully deployed, can 
remain in place when fetchmail 6.4.22 will be released, so there is no 
need to wait.

[Fetchmail-devel] ANNOUNCE: The 6.5.0.beta5 snapshot of fetchmail is available (security fix for CVE-2021-36386)

[Matthias A. <mat...@gm...>]

Greetings,

The 6.5.0.beta5 release of fetchmail is now available at the usual locations,
including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/>

The source archive has been uploaded and will shortly be available from:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz/download>

This is a deep link to the GnuPG signature:
<https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta5.tar.xz.asc/download>

This fixes a regression introduced with the security fix for 
CVE-2021-36386 that broke --logfile and generally could cause log 
message truncation, and merges Eric Durand's --idletimeout configuration 
feature.

This is the change history from Git:
================================================================================
*   0664b370 2021-08-09 | Merge branch 'legacy_64' into legacy_6x, bumping...
|\
| * 06aee72e 2021-08-09 | Bump version to 6.4.21. (tag: RELEASE_6-4-21)
| * 65d9dde0 2021-08-09 | Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3.
| * 54c3e4a1 2021-08-09 | NEWS/6.4.20: Fix typo in CVE number.
| * d3db2da1 2021-08-09 | Fix --logfile and message truncation issue.
| * f6ebe48b 2021-08-03 | fetchmail-SA-2021-01.txt: Replace copy by symlink
| * a8f8447d 2021-08-03 | update fetchmail-SA-2021-01
| * fa027fe6 2021-08-03 | website: ext. link updates for openssh, getmail6
| * 13d816ba 2021-08-03 | Update website for 6.5.0.beta4 release.
*   db1cff0d 2021-08-05 | Merge branch 'rand0mdud3/fetchmail-legacy_6x_idle_timeout' into legacy_6x
|\
| * 3d71de2f 2021-08-05 | Complete integration of --idletimeout feature.
| * 0dc17130 2021-07-22 | Make the idle timeout configurable [Eric Durand]
|/
* adcd49a1 2021-08-05 | fetchmailconf: fixup merge indentation error from ed4903efad
* 77a1e3fc 2021-08-04 | fetchmail.man: Minor tweaks to sslproto doc.
* 38f73ff5 2021-08-04 | fetchmail.man: update sslproto to reflect defaults
* b3dd1527 2021-08-04 | socket.c: try harder not to redefine TLS_MAX_VERSION
* b3eb6a48 2021-08-04 | driver.c: Fix misreporting SMTP errors as MDA.
* 8e435aff 2021-08-04 | get_sink_type: return gettextized string of sink type.
* 6124abb3 2021-08-04 | socket.c: refactor SSL shutdown/context getter code
================================================================================

[Fetchmail-devel] UPDATED fetchmail security announcement 2021-01 (CVE-2021-36386) - potential denial of service or information disclosure in some configurations - update contains regression fix

[Matthias A. <mat...@gm...>]

TL;DR Summary: While fetchmail 6.4.20 fixed CVE-2021-36386, it 
introduced a bug WRT buffered logging that got fixed in 6.4.21.

Packagers should either upgrade all the way to 6.4.21, or pick the 
near-trivial regression fix from section #3 below or Git commit d3db2da1 
can be cherry-picked from the GitLab or SourceForge repos.

Updated security announcement follows:
--------------------------------------------------------------------

fetchmail-SA-2021-01: DoS or information disclosure logging long messages

Topics:		fetchmail denial of service or information disclosure when logging long messages

Author:		Matthias Andree
Version:	1.3
Announced:	2021-07-28 (original), 2021-08-09 (last update)
Type:		missing variable initialization can cause read from bad memory
		locations
Impact:		fetchmail logs random information, or segfaults and aborts,
		stalling inbound mail
Danger:		low
Acknowledgment:	Christian Herdtweck, Intra2net AG, Tübingen, Germany
		for analysis and report and a patch suggestion

CVE Name:	CVE-2021-36386 and CVE-2008-2711
URL:		https://www.fetchmail.info/fetchmail-SA-2021-01.txt
URL:		https://www.fetchmail.info/fetchmail-SA-2008-01.txt
Project URL:	https://www.fetchmail.info/

Affects:	- fetchmail releases up to and including 6.3.8
		- fetchmail releases 6.3.17 up to incl. 6.4.19
		  (but note 6.4.20 regresses for buffered output,
		   f.i. with --logfile)

Not affected:	- fetchmail releases 6.4.21 and newer
		  (fetchmail 6.4.20 fixes the immediate bug but regresses
		   and causes message truncation on buffered output)
		- fetchmail releases 6.3.9 to 6.3.16

Corrected in:	c546c829 + d3db2da1 Git commit hash (both needed)
		2021-08-09 fetchmail 6.4.21 release tarball

0. Release history
==================

2021-07-07	initial report to maintainer
2021-07-28 1.0	release
2021-07-28 1.1	update Git commit hash with correction
2021-08-03 1.2  add references to CVE-2008-2711/fetchmail-SA-2008-01
2021-08-09 1.3  mention buffered logging regression (--logfile)


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail has long had support to assemble log/error messages that are
generated piecemeal, and takes care to reallocate the output buffer as needed.
In the reallocation case, i. e. when long log messages are assembled that can
stem from very long headers, and on systems that have a varargs.h/stdarg.h
interface (all modern systems), fetchmail's code would fail to reinitialize
the va_list argument to vsnprintf.

The exact effects depend on the verbose mode (how many -v are given) of
fetchmail, computer architecture, compiler, operating system and
configuration.  On some systems, the code just works without ill effects, some
systems log a garbage message (potentially disclosing sensitive information),
some systems log literally "(null)", some systems trigger SIGSEGV (signal
#11), which crashes fetchmail, causing a denial of service on fetchmail's end.

The same bug then named CVE-2008-2711 had already been fixed in fetchmail 6.3.9,
but a code refactoring in fetchmail 6.3.17 (commit 414a3809 in 2010)
reintroduced the bug.
Fetchmail versions 6.4.19 and older are no longer supported, however.

The bugfix used in 6.4.20 uses a different, more thorough, approach.


3. Solution
===========

Install fetchmail 6.4.21 or newer.

The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.

Distributors are encouraged to review the NEWS file and move forward to
6.4.21, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation,
or translation updates.

The regression fix for the new non-security bug in 6.4.20 that causes
log message truncation simply consists of editing report.c to rotate lines 289
through 291, such that the /corrected/ report.c then looks like this:

   286	    n = snprintf (partial_message + partial_message_size_used,
   287			    partial_message_size - partial_message_size_used,
   288			    message, a1, a2, a3, a4, a5, a6, a7, a8);
   289
   290	    if (n > 0) partial_message_size_used += n;
   291	#endif
   292
   293	    if (unbuffered && partial_message_size_used != 0)


Fetchmail 6.4.X releases have been made with a focus on unchanged user and
program interfaces so as to avoid disruptions when upgrading from 6.3.Z or
6.4.X to 6.4.Y with Y > X.  Care was taken to not change the interface
incompatibly.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2021 by Matthias Andree, <mat...@gm...>.
Some rights reserved.

fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC
BY-ND 4.0. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/4.0/

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2021-01