Menu
▾
▴
fetchmail-devel — Development related discussion
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(73) |
Jul
(22) |
Aug
(42) |
Sep
(11) |
Oct
(23) |
Nov
(40) |
Dec
(2) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
|
Feb
|
Mar
(17) |
Apr
(26) |
May
(6) |
Jun
(21) |
Jul
(133) |
Aug
(25) |
Sep
(40) |
Oct
(12) |
Nov
(71) |
Dec
(57) |
| 2006 |
Jan
(23) |
Feb
(22) |
Mar
(43) |
Apr
(27) |
May
(13) |
Jun
(7) |
Jul
(3) |
Aug
(20) |
Sep
(16) |
Oct
(17) |
Nov
(31) |
Dec
(10) |
| 2007 |
Jan
(12) |
Feb
(17) |
Mar
(26) |
Apr
(13) |
May
(4) |
Jun
(1) |
Jul
(1) |
Aug
(21) |
Sep
(3) |
Oct
(8) |
Nov
(8) |
Dec
(5) |
| 2008 |
Jan
(5) |
Feb
(1) |
Mar
(3) |
Apr
(10) |
May
(3) |
Jun
(11) |
Jul
(5) |
Aug
(1) |
Sep
(6) |
Oct
|
Nov
(10) |
Dec
(2) |
| 2009 |
Jan
(17) |
Feb
(2) |
Mar
(1) |
Apr
(9) |
May
(23) |
Jun
(22) |
Jul
(32) |
Aug
(30) |
Sep
(11) |
Oct
(24) |
Nov
(4) |
Dec
|
| 2010 |
Jan
(12) |
Feb
(56) |
Mar
(32) |
Apr
(41) |
May
(36) |
Jun
(14) |
Jul
(7) |
Aug
(10) |
Sep
(13) |
Oct
(16) |
Nov
|
Dec
(14) |
| 2011 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
(16) |
May
(36) |
Jun
(2) |
Jul
|
Aug
(9) |
Sep
(2) |
Oct
(1) |
Nov
(8) |
Dec
(3) |
| 2012 |
Jan
(1) |
Feb
(5) |
Mar
(1) |
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
(7) |
Sep
(9) |
Oct
(2) |
Nov
(8) |
Dec
(9) |
| 2013 |
Jan
(11) |
Feb
(6) |
Mar
(14) |
Apr
(10) |
May
|
Jun
(12) |
Jul
(2) |
Aug
(2) |
Sep
(2) |
Oct
|
Nov
(7) |
Dec
(4) |
| 2014 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(7) |
Jul
|
Aug
(8) |
Sep
(8) |
Oct
|
Nov
|
Dec
(2) |
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(2) |
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(6) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
(3) |
Mar
(5) |
Apr
(2) |
May
(3) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
(3) |
Oct
(4) |
Nov
(3) |
Dec
|
| 2021 |
Jan
(5) |
Feb
(2) |
Mar
(3) |
Apr
(3) |
May
|
Jun
|
Jul
(2) |
Aug
(14) |
Sep
(3) |
Oct
(4) |
Nov
(4) |
Dec
(3) |
| 2022 |
Jan
|
Feb
(2) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
(3) |
Aug
(1) |
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2023 |
Jan
(3) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2024 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Matthias A. <mat...@gm...> - 2021-08-09 15:55:47
|
Am 09.08.21 um 10:01 schrieb dv...@in...: > Many thanks for the rapid fix for CVE-2021-36386.6.5.0.beta4 builds > and works fine here, on devuan beowulf. > > One thing to report is that logging now omits newlines, making the > log more useful as wallpaper than a log. (Not vital here, as I only > use it as a progress meter, especially while downloading 9605 emails > the other day, after 8 weeks off-line, after network damage due to > storms.) > > Today: > $ wc /tmp/fetchmail_log > 1 436 4270 /tmp/fetchmail_log > > It may be tangentially relevant that it is now necessary > to "touch" the logfile at each daily boot, as fetchmail no longer > creates it. > > These trivialities aside, I'm a rusted-on fetchmail fan, since last > century, and grateful that it is so well maintained. Erik, sorry about the inconvenience and thanks for the support and your report. Unfortunately the log misses more than just the newlines, namely also further fragments such as messages sizes. I've cross-mailed my findings in the message with subject "Re: FM v6.4.20 - concatenated log lines". Regarding the logfile option and the need to have the log file in place, 6.5.0.beta4 documents that the log file needs to exist before launching fetchmail - so if your log rotation erases it, reconfigure it such that it leaves a blank file in place. 6.5.0.beta5 coming up soonish (but 6.4.21 gets priority). Cheers, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-08-09 15:49:12
|
Am 08.08.21 um 21:54 schrieb Matthias Andree:
> Am 08.08.21 um 20:07 schrieb J.Edner:
>> Hi,
>> I've just compiled and installed Fetchmail 6.4.20 on my server and found
>> out, that some log lines are missing a new-line at the end, so that they
>> are concatenated as follows:
>>
>> fetchmail: 16 messages for XYZ at SERVERfetchmail: reading message
>> XYZ@SERVER:1 of 16fetchmail: reading message XYZ@SERVER:2 of
>> 16fetchmail: reading message XYZ@SERVER:3 of 16fetchmail: reading
>> message ...
>>
>> I checked the source code and saw that a new-line seems to be missing.
>> After I've applied this small patch all messages are correctly written
>> to the log file again:
>>
>> ----------
>> --- a/driver.c. 2021-08-08 17:06:53.756148421 +0200
>> +++ b/driver.c 2021-08-08 17:09:20.231666827 +0200
>> @@ -629,7 +629,7 @@ static int fetch_messages(int mailserver
>>
>> if (outlevel > O_SILENT)
>> {
>> - report_build(stdout, GT_("reading message %s@%s:%d of %d"),
>> + report_build(stdout, GT_("reading message %s@%s:%d of %d\n"),
>> ctl->remotename, ctl->server.truename,
>> num, count);
>> ----------
>>
>> The result looks as follows now again:
>>
>> fetchmail: 16 messages for XYZ at SERVER
>> fetchmail: reading message XYZ@SERVER:1 of 16
>> fetchmail: reading message XYZ@SERVER:2 of 16
>> fetchmail: reading message XYZ@SERVER:3 of 16
>> ...
Got it.
There is one statement in report_build, "if (n > 0)
partial_message_size_used += n;" which slipped outside the #if
defined(VA_START)...#endif block and that causes an excess (double)
increment of the string length; because both report_vbuild() and then
again this cited statement will bump the partial_message_size_used
counter. In effect, the buffer allocation is excessive and, more
importantly, the 2nd and later report_build() before the next report()
or report_complete() write too deep into the buffer. This will not cause
overruns due to the reallocation prior to the vsnprintf/sprintf, but it
write starts behind the '\0' byte, instead of right over it, so the
string also gets truncated to the first fragment written with
report_vbuild().
This does not affect --syslog or console output so, for lack of relevant
test items, escaped my testing. Sorry about that.
This patch fixes the issue (this is for perusal, I am attaching a copy,
or if it doesn't make it through to the list, cherry-pick the report.c
part from Git commit d3db2da1). fetchmail 6.4.21 and revised security
announcement coming up, and 6.5.0-beta5 should not be too far out either.
https://gitlab.com/fetchmail/fetchmail/-/commit/d3db2da1d13bd2419370ad96defb92eecb17064c
https://sourceforge.net/p/fetchmail/git/ci/d3db2da1d13bd2419370ad96defb92eecb17064c/
diff --git a/report.c b/report.c
index aea6b3ea..2db7d0a9 100644
--- a/report.c
+++ b/report.c
@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
n = snprintf (partial_message + partial_message_size_used,
partial_message_size - partial_message_size_used,
message, a1, a2, a3, a4, a5, a6, a7, a8);
-#endif
if (n > 0) partial_message_size_used += n;
+#endif
+
if (unbuffered && partial_message_size_used != 0)
{
partial_message_size_used = 0;
|
|
From: <dv...@in...> - 2021-08-09 08:02:19
|
Many thanks for the rapid fix for CVE-2021-36386.6.5.0.beta4 builds and works fine here, on devuan beowulf. One thing to report is that logging now omits newlines, making the log more useful as wallpaper than a log. (Not vital here, as I only use it as a progress meter, especially while downloading 9605 emails the other day, after 8 weeks off-line, after network damage due to storms.) Today: $ wc /tmp/fetchmail_log 1 436 4270 /tmp/fetchmail_log It may be tangentially relevant that it is now necessary to "touch" the logfile at each daily boot, as fetchmail no longer creates it. These trivialities aside, I'm a rusted-on fetchmail fan, since last century, and grateful that it is so well maintained. Erik |
|
From: Matthias A. <mat...@gm...> - 2021-08-03 14:31:58
|
Greetings, The 7.0.0-alpha9 snapshot of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/> The source archive and a detached GnuPG signature are available at: <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha9.tar.xz/download> <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha9.tar.xz.asc/download> It mostly merges up the recent 6.4 and 6.5 branch changes including the CVE-2021-36386 security fix, but has a few changes of its own: * 8a485deb 2021-08-03 | Bump version to alpha9. (tag: 7.0.0-alpha9) * f63c20f0 2021-06-27 | Add support for Microsoft Office 365 OAuth2 login [Marijn van Vliet] * 71edd0ce 2021-04-29 | PWMD: rename ./configure option to --enable-libpwmd * ede874be 2021-04-29 | build-pwmd.sh: developer test script to build PWMD-enabled fetchmail for make check * 09efedd3 2021-04-29 | .gitignore: no longer ignore build* non-directories * 3898bb03 2021-04-27 | pwmd: Fix building with recent GCC. [Ben Kibbey] Here are the release notes: -------------------------------------------------------------------------------- fetchmail-7.0.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! XXX and FIXME - see the big merge of 2019-08-25, and 2021-01-03 # INCOMPATIBLE CHANGES * The SSL/TLS options were massively changed and disentangled, to be clearer. * --sslmode starttls=must is now the default as a consequence of the previous sslcertck default. If you need an unencrypted connection, use --sslmode none. If you need an SSL-wrapped connection that starts immediately on a separate port, use --sslmode wrapped. * See the REMOVED FEATURES section below for further incompatibilities. # MAJOR CHANGES * The POP3 code now always uses UIDL, except if "fetchall" is in effect. Fixes BerliOS Bug #16172. Fixes Debian Bug#345788. The --uidl option is now gone. # FEATURES ADDED * fetchmail has initial support for OAUTH2, courtesy of Matthew M. Ogilvie. This requires a helper script (in Python) that ships in the contrib/ section. * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at compile-time and requires run-time configuration. See README.PWMD for details. Contributed by Ben Kibbey, author of libpwmd and pwmd. * Fetchmail can now run an external command to retrieve credentials (passwords), see the fetchmail man page for passwordeval. * Fetchmail now supports a retrieve-error command line or rcfile option that takes exactly one argument, abort (default), continue or markseen. This specifies the policy used by fetchmail to handle messages whose bodies fail to be retrieved due to server errors. Both the continue and markseen options will skip the message with errors and allow the session to continue so that subsequent messages can be retrieved. The markseen option will also mark the message with errors as seen. The default policy is to abort the session whenever a server error occurs. Contributed by Craig Brown. * Fetchmailconf offers CRAM-MD5 and APOP authentication. XXX FIXME: check * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode option, which cleans up the incomprehensible --ssl and --sslproto mess of fetchmail versions before v7.0.0. * The SSL/TLS/STARTTLS protocol version can now be selected through a new --sslprotocolversion switch. * The SSL/TLS cipher in used is now reported in verbose mode. * FIXME: The SHA1 fingerprint is now printed along with the MD5 digest of the server's certificate; however, this can not yet be matched - matches are still against MD5 only. # REMOVED FEATURES * IMAP2 and POP2 protocol support were removed. * RPOP support (not actually a protocol, but a variant of POP3) was removed. * POP3: the (--)uidl option has been removed. It is always on. * POP3: LAST is no longer used. It was removed from POP3 in the year 1994, and it could cause mail loss when the connection was interrupted or if clients besides fetchmail polled the mailbox. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. * Kerberos IV support was removed. * The --ssl option is obsolescent and triggers a warning that users should use --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped. * The --sslproto option was removed. Two new options were added in its place, --sslmode and --sslprotocolversion. * A lot of outdated and/or unsafe-to-use material got dropped from contrib/. # CHANGES * APOP is no longer a protocol, but an authentication method. In order to use it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop. If no authentication method is specified, APOP is automatically tried if offered by the server before we resort to sending the password as clear text. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, so compiling 32-bit SPARC code should not cause any difficulties. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. -------------------------------------------------------------------------------- |
|
From: Matthias A. <mat...@gm...> - 2021-08-03 14:13:40
|
Greetings, The 6.5.0.beta4 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta4.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta4.tar.xz.asc/download> This merges the recent 6.4.20 security fix for CVE-2021-36386, with these additional changes: * 1c214c45 2021-07-07 | mock POP3 test server updates * 2cc88ec4 2021-06-26 | GitLab CI * 462b5c38 2021-05-15 | CMakeLists.txt: only compile getopt* if getopt_long() missing. * a6f29dc5 2021-05-13 | Rudimentary unusable attempt at a CMakeLists file. * c7b820b1 2021-04-26 | fetchmail.man: really bump version to beta3 to match release. * 57bd6a92 2021-04-26 | imap.c: correct EXPUNGE count -> EXPUNGE message no. Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.5.0 (not yet released): ## REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. ## INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. ## CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL, at a minimum OpenSSL v1.1.1. ## BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond. This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level (1.1.1, or 10101) so as to compile with OpenSSL 3.0.0. (fetchmail was requesting to hide deprecated APIs.) ## CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. ## EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.0-alpha4. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. ================================================================================ |
|
From: Matthias A. <mat...@gm...> - 2021-07-28 21:04:25
|
fetchmail-SA-2021-01: DoS or information disclosure logging long messages Topics: fetchmail denial of service or information disclosure when logging long messages Author: Matthias Andree Version: 1.1 Announced: 2021-07-28 Type: missing variable initialization can cause read from bad memory locations Impact: fetchmail logs random information, or segfaults and aborts, stalling inbound mail Danger: low Acknowledgment: Christian Herdtweck, Intra2net AG, Tübingen, Germany for analysis and report and a patch suggestion CVE Name: CVE-2021-36386 URL: https://www.fetchmail.info/fetchmail-SA-2021-01.txt Project URL: https://www.fetchmail.info/ Affects: - fetchmail releases up to and including 6.4.19 Not affected: - fetchmail releases 6.4.20 and newer Corrected in: c546c829 Git commit hash 2021-07-28 fetchmail 6.4.20 release tarball 0. Release history ================== 2021-07-07 initial report to maintainer 2021-07-28 1.0 release 2021-07-28 1.1 update Git commit hash with correction 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= Fetchmail has long had support to assemble log/error messages that are generated piecemeal, and takes care to reallocate the output buffer as needed. In the reallocation case, i. e. when long log messages are assembled that can stem from very long headers, and on systems that have a varargs.h/stdarg.h interface (all modern systems), fetchmail's code would fail to reinitialize the va_list argument to vsnprintf. The exact effects depend on the verbose mode (how many -v are given) of fetchmail, computer architecture, compiler, operating system and configuration. On some systems, the code just works without ill effects, some systems log a garbage message (potentially disclosing sensitive information), some systems log literally "(null)", some systems trigger SIGSEGV (signal #11), which crashes fetchmail, causing a denial of service on fetchmail's end. 3. Solution =========== Install fetchmail 6.4.20 or newer. The fetchmail source code is available from <https://sourceforge.net/projects/fetchmail/files/>. Distributors are encouraged to review the NEWS file and move forward to 6.4.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued, or documentation, or translation updates. Fetchmail 6.4.X releases have been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.Z or 6.4.X to 6.4.Y with Y > X. Care was taken to not change the interface incompatibly. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2021 by Matthias Andree, <mat...@gm...>. Some rights reserved. fetchmail-SA-2021-01 © 2021 by Matthias Andree is licensed under CC BY-ND 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2021-01 |
|
From: Matthias A. <mat...@gm...> - 2021-07-28 21:04:20
|
Greetings, The 6.4.20 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains an LMTP bug fix, updates fetchmailconf and the Serbian translation. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.20.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.20.tar.lz)= 497973353c0538216e7d7f2289a21d9acc5edd78f06d7ec008001f4f19e91b11 SHA256(fetchmail-6.4.20.tar.xz)= c82141ae2e8f0039ceb0c5c2eda43c5e93ad0bf7f9c6bb628092b3be74386176 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): # SECURITY FIX: * When a log message exceeds c. 2 kByte in size, for instance, with very long header contents, and depending on verbosity option, fetchmail can crash or misreport each first log message that requires a buffer reallocation. fetchmail then reallocates memory and re-runs vsnprintf() without another call to va_start(), so it reads garbage. The exact impact depends on many factors around the compiler and operating system configurations used and the implementation details of the stdarg.h interfaces of the two functions mentioned before. To fix CVE-2021-38386. Reported by Christian Herdtweck of Intra2net AG, Tübingen, Germany. --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-04-25 11:22:28
|
Greetings, The 6.5.0.beta3 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.5/> The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta3.tar.xz/download> This is a deep link to the GnuPG signature: <https://sourceforge.net/projects/fetchmail/files/branch_6.5/fetchmail-6.5.0.beta3.tar.xz.asc/download> This is mostly merging of the recent 6.4 releases, with these additional changes: * 13d7eab8 2021-04-24 | INSTALL: Spell-check [Matthias Andree] * deb5e66f 2021-03-29 | Add basic test framework to source from other tests. [Matthias Andree] * 9c9d47c9 2021-03-29 | fetchmail.man: Add QUICKSTART section. [Matthias Andree] * 3aafc8bd 2021-03-23 | Reduce 15 different translatable "Query status" messages into 2. [Lauri Nurmi] * c4ba1d68 2021-03-13 | po/de.po: Update. [Matthias Andree] * 13c9a52c 2021-03-13 | INSTALL: mention Python 3 optional, and suggest make check [Matthias Andree] * 6161c8c2 2021-03-13 | OpenSSL: Prepare for removal of TLS_MAX_VERSION declaration. [Matthias Andree] * 1b374b5f 2021-03-13 | tests: import Ubuntu's POP3 mock server operation test [Bryce Harrington] * da6eb347 2021-03-13 | sanity check well-known POP3/IMAP ports vs. SSL [Matthias Andree] * 58cd8002 2021-01-30 | tls-aux.h: Remove unneeded 1.0.2 compatibility code. [Matthias Andree] Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.5.0 (not yet released): ## REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. ## INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. ## CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL, at a minimum OpenSSL v1.1.1. ## BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond. This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level (1.1.1, or 10101) so as to compile with OpenSSL 3.0.0. (fetchmail was requesting to hide deprecated APIs.) ## CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. ## EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.0-alpha4. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. # KNOWN BUGS AND WORKAROUNDS (This section usually floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. -------------------------------------------------------------------------------- |
|
From: Matthias A. <mat...@gm...> - 2021-04-25 10:40:12
|
Greetings, The 7.0.0-alpha8 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/> The source archive is available at: <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha8.tar.xz/download> It mostly merges up the recent 6.4 and 6.5 branch changes but has a few changes of its own: 919fd787 2021-04-24 | Bump max. passwordlen to 10000 bytes. [Matthias Andree] 6357924a 2021-04-24 | po/de.po: update [Matthias Andree] 53af1ae1 2021-04-24 | Bump version to -alpha8 [Matthias Andree] 05f66769 2021-04-24 | Fix up merge error. [Matthias Andree] d52ba965 2021-01-31 | Add README.OAUTH2 issue #27 (sourceforge/next, origin/next) [William Bader] 2a0c7680 2021-01-09 | fetchmailconf: better place for PIDfile. [Matthias Andree] 2950d204 2021-01-09 | fetchmailconf: Expose PIDfile (lockfile). [Matthias Andree] 7514a696 2021-01-05 | [conf] Print pidfile in configuration [Earl Chew] 204541b6 2021-01-03 | Add support for sslcertfile. [Matthias Andree] 81bcb126 2021-01-03 | [conf] Print sslcertfile in configuration (earlchew/fetchmail-issue/25) [Earl] Here are the release notes: fetchmail-7.0.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! XXX and FIXME - see the big merge of 2019-08-25, and 2021-01-03 # INCOMPATIBLE CHANGES * The SSL/TLS options were massively changed and disentangled, to be clearer. * --sslmode starttls=must is now the default as a consequence of the previous sslcertck default. If you need an unencrypted connection, use --sslmode none. If you need an SSL-wrapped connection that starts immediately on a separate port, use --sslmode wrapped. * See the REMOVED FEATURES section below for further incompatibilities. # MAJOR CHANGES * The POP3 code now always uses UIDL, except if "fetchall" is in effect. Fixes BerliOS Bug #16172. Fixes Debian Bug#345788. The --uidl option is now gone. # FEATURES ADDED * fetchmail has initial support for OAUTH2, courtesy of Matthew M. Ogilvie. This requires a helper script (in Python) that ships in the contrib/ section. * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at compile-time and requires run-time configuration. See README.PWMD for details. Contributed by Ben Kibbey, author of libpwmd and pwmd. * Fetchmail can now run an external command to retrieve credentials (passwords), see the fetchmail man page for passwordeval. * Fetchmail now supports a retrieve-error command line or rcfile option that takes exactly one argument, abort (default), continue or markseen. This specifies the policy used by fetchmail to handle messages whose bodies fail to be retrieved due to server errors. Both the continue and markseen options will skip the message with errors and allow the session to continue so that subsequent messages can be retrieved. The markseen option will also mark the message with errors as seen. The default policy is to abort the session whenever a server error occurs. Contributed by Craig Brown. * Fetchmailconf offers CRAM-MD5 and APOP authentication. XXX FIXME: check * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode option, which cleans up the incomprehensible --ssl and --sslproto mess of fetchmail versions before v7.0.0. * The SSL/TLS/STARTTLS protocol version can now be selected through a new --sslprotocolversion switch. * The SSL/TLS cipher in used is now reported in verbose mode. * FIXME: The SHA1 fingerprint is now printed along with the MD5 digest of the server's certificate; however, this can not yet be matched - matches are still against MD5 only. # REMOVED FEATURES * IMAP2 and POP2 protocol support were removed. * RPOP support (not actually a protocol, but a variant of POP3) was removed. * POP3: the (--)uidl option has been removed. It is always on. * POP3: LAST is no longer used. It was removed from POP3 in the year 1994, and it could cause mail loss when the connection was interrupted or if clients besides fetchmail polled the mailbox. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. * Kerberos IV support was removed. * The --ssl option is obsolescent and triggers a warning that users should use --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped. * The --sslproto option was removed. Two new options were added in its place, --sslmode and --sslprotocolversion. * A lot of outdated and/or unsafe-to-use material got dropped from contrib/. # CHANGES * APOP is no longer a protocol, but an authentication method. In order to use it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop. If no authentication method is specified, APOP is automatically tried if offered by the server before we resort to sending the password as clear text. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, so compiling 32-bit SPARC code should not cause any difficulties. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. |
|
From: Matthias A. <mat...@gm...> - 2021-04-25 09:18:29
|
Greetings, The 6.4.19 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains an LMTP bug fix, updates fetchmailconf and the Serbian translation. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.19.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.19.tar.lz)= fe4c33b9c57e1e4f341e01564259478fc8dcb28013a2f7240d726aa72f858286 SHA256(fetchmail-6.4.19.tar.xz)= cd8d11a3d103e50caa2ec64bcda6307eb3d0783a4d4dfd88e668b81aaf9d6b5f Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.19 (released 2021-04-24, 30026 LoC): # CHANGE: * fetchmailconf: properly catch and report option parsing errors # BUG FIX: * LMTP: do not try to validate the last component of a UNIX-domain LMTP socket as though it were a TCP port. Reported by Christoph Heitkamp, Gitlab issue #33. # TRANSLATION UPDATE: This fine person has contributed an updated translation: * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-03-27 22:44:57
|
Greetings, The 6.4.18 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains a few bug fixes and an updated Finnish translation. NOTE that the tarball contains an outdated NEWS file that does not mention the release date or lines-of-code. I will not re-roll the tarballs. The fixed NEWS file shall be committed to Git shortly. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.18.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.18.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.18.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.18.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.18.tar.lz)= abf0d6c63f1863af92d2129b1bd4c7e80ab4a511aaf8354eeefceaa072bd9a54 SHA256(fetchmail-6.4.18.tar.xz)= 302dc9bcdc6927dedf375d2baaead2347557faa70d98b1da83f2409fa6fb259f Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.18 (released 2021-03-27, 30011 LoC): # REGRESSION FIX: * fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump, but fetchmailconf support was incomplete in Git 7349f124 and it could not parse sslcertfile, thus the user settings editor came up empty with console errors printed. Fix configuration parser in fetchmailconf. # ROBUSTNESS FIXES: * fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter) for -d option. This is to fail more gracefully on incomplete installs. * TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues with OpenSSL v3 - these are for development purposes, not production. * TLS futureproofing: use SSL_use_PrivateKey_file instead of SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3, and the user's key file might be something else than RSA. # TRANSLATION UPDATE: This fine person has contributed an updated translation: * fi: Lauri Nurmi [Finnish] --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-03-13 20:19:08
|
Greetings, The 6.4.18-rc1 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. Please test this release if you authenticate with an SSL/TLS key file and certificate, and please test the user configuration screens inside fetchmailconf if you are a fetchmailconf user, and report any findings, or report if things continue to work for you. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.18-rc1.tar.xz/download> A detached GnuPG signature is at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16-rc1.tar.xz.asc/download> Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.4.18 (not yet released): # REGRESSION FIX: * fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump, but fetchmailconf support was incomplete in Git 7349f124 and it could not parse sslcertfile, thus the user settings editor came up empty with console errors printed. Fix configuration parser in fetchmailconf. # ROBUSTNESS FIXES: * fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter) for -d option. This is to fail more gracefully on incomplete installs. * TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues with OpenSSL v3 - these are for development purposes, not production. * TLS futureproofing: use SSL_use_PrivateKey_file instead of SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3, and the user's key file might be something else than RSA. -------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-03-07 14:25:22
|
Greetings, The 6.4.17 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>. It contains a few bug fixes and is more willing to give information on the trust store paths it is using (with -V or --version). The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.17.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.17.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.17.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.17.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.17.tar.lz)= 1f4aa30f4d62a3e786af01c7dd128611027ef92af85a351368f9dcc97fa50b02 SHA256(fetchmail-6.4.17.tar.xz)= a41bcdf11b41aa0682b259aee4717c617c15dadd43fa008b2ed38b770f4d50c6 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.17 (released 2021-03-07, 29998 LoC): # BUG FIXES * IMAP client: it used to leak memory for username and password when trying the LOGIN (password-based) authentication and encountered a timeout situation. * dist-tools/getstats.py: also counts lines in *.py files, shown above. # CHANGES * fetchmail.man: now mentions that you may need to add --ssl when specifying a TLS-wrapped port. * fetchmailconf: --version (-V) now prints the Python version in use. # TRANSLATION UPDATES This fine person has contributed updated translations for fetchmail: * ja: Takeshi Hamasaki [Japanese] --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-02-10 19:02:17
|
[re-send with corrected download URLs] Greetings, The 6.4.16 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/branch_6.4/>. It contains a few bug fixes and is more willing to give information on the trust store paths it is using (with -V or --version). The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.16.tar.lz)= 0cc50212d62a7c9912e0c7fdf795ba205db554195d05a45e36c94671ec54c089 SHA256(fetchmail-6.4.16.tar.xz)= 044b9a0ac03afbae7744979defe3e2e32e39141bca68fd0c8deda2ed40884fb9 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.16 (released 2021-02-08, 27707 LoC): # BUG FIXES * fetchmail's --configdump, and fetchmailconf, lacked support for the sslcertfile option. --configdump support added by Earl Chew, Gitlab issue #25, merge request !28. * fetchmail's manual page was never updated to reflect 6.2.5's change about the duplicate-killer code for multidrop mode, which read "* Dup-killer code now keys on an MD5 hash of the raw headers." ...instead of just the Message-ID. [commit 9dd8400, 2003-10-10 by esr] The manual page was now updated accordingly and documents historic behaviour: start to 5.0.7 no duplicate suppression; 5.0.8 to 6.2.4 duplicate suppression only by Message-ID; 6.2.5 to 6.4.X duplicate suppression by entire raw header. Manpage bug found by Julian Bane debugging "duplicate message" behaviour. * ./configure no longer runs AC_LIB_LINKFLAGS (how to link) checks when called --without-ssl # FEATURES * fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS library's "SSL default trusted certificate" file or directory (mind the word "default"), where the OpenSSL-compatible TLS implementation will look for trusted root, meaning certification authority (CA), certificates. NOTE 1: watch the output carefully if the line prints the defaults or the configured path (without "default"). NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables for OpenSSL 1.1.1 to override the *default* locations (those compiled into OpenSSL or possibly in its configuration file). This was added when Gene Heskett was debugging his setup and the information "where does OpenSSL look" was missing. * fetchmail --version now prints version of the OpenSSL library that it was compiled against, and that it is using at runtime, and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available). # TRANSLATION UPDATES These fine people have contributed updated translations for fetchmail, in no particular order: * sq: Besnik Bleta [Albanian] * eo: Keith Bowes [Esperanto] * cs: Petr Pisar [Czech] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] * fr: Frédéric Marchal [French] # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-02-08 18:21:19
|
Greetings, The 6.4.16 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/branch_6.4/>. It contains a few bug fixes and is more willing to give information on the trust store paths it is using (with -V or --version). The source archive is available at: <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.16.tar.xz/download> <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.16.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.16.tar.lz)= 0cc50212d62a7c9912e0c7fdf795ba205db554195d05a45e36c94671ec54c089 SHA256(fetchmail-6.4.16.tar.xz)= 044b9a0ac03afbae7744979defe3e2e32e39141bca68fd0c8deda2ed40884fb9 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.16 (released 2021-02-08, 27707 LoC): # BUG FIXES * fetchmail's --configdump, and fetchmailconf, lacked support for the sslcertfile option. --configdump support added by Earl Chew, Gitlab issue #25, merge request !28. * fetchmail's manual page was never updated to reflect 6.2.5's change about the duplicate-killer code for multidrop mode, which read "* Dup-killer code now keys on an MD5 hash of the raw headers." ...instead of just the Message-ID. [commit 9dd8400, 2003-10-10 by esr] The manual page was now updated accordingly and documents historic behaviour: start to 5.0.7 no duplicate suppression; 5.0.8 to 6.2.4 duplicate suppression only by Message-ID; 6.2.5 to 6.4.X duplicate suppression by entire raw header. Manpage bug found by Julian Bane debugging "duplicate message" behaviour. * ./configure no longer runs AC_LIB_LINKFLAGS (how to link) checks when called --without-ssl # FEATURES * fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS library's "SSL default trusted certificate" file or directory (mind the word "default"), where the OpenSSL-compatible TLS implementation will look for trusted root, meaning certification authority (CA), certificates. NOTE 1: watch the output carefully if the line prints the defaults or the configured path (without "default"). NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables for OpenSSL 1.1.1 to override the *default* locations (those compiled into OpenSSL or possibly in its configuration file). This was added when Gene Heskett was debugging his setup and the information "where does OpenSSL look" was missing. * fetchmail --version now prints version of the OpenSSL library that it was compiled against, and that it is using at runtime, and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available). # TRANSLATION UPDATES These fine people have contributed updated translations for fetchmail, in no particular order: * sq: Besnik Bleta [Albanian] * eo: Keith Bowes [Esperanto] * cs: Petr Pisar [Czech] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] * fr: Frédéric Marchal [French] # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-01-30 15:20:04
|
Greetings, The 6.4.16-rc1 release candidate of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/branch_6.4/>. It contains a few bug fixes that were contributed via Gitlab. The source archive is available at: <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.16-rc1.tar.xz/download> <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.16-rc1.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16-rc1.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.16-rc1.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.16-rc1.tar.lz)= 48ca15ba5d87b564050b7642732ffc0b2faf82b83a9eb630032e4ae7c760c866 SHA256(fetchmail-6.4.16-rc1.tar.xz)= 2ac20bb2858b9cad575b1d4b95855d02561a57f65dbd5abf20868234977a73aa Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.16 (not yet released): # BUG FIXES * fetchmail's --configdump, and fetchmailconf, lacked support for the sslcertfile option. --configdump support added by Earl Chew, Gitlab issue #25, merge request !28. * fetchmail's manual page was never updated to reflect 6.2.5's change about the duplicate-killer code for multidrop mode, which read "* Dup-killer code now keys on an MD5 hash of the raw headers." ...instead of just the Message-ID. [commit 9dd8400, 2003-10-10 by esr] The manual page was now updated accordingly and documents historic behaviour: start to 5.0.7 no duplicate suppression; 5.0.8 to 6.2.4 duplicate suppression only by Message-ID; 6.2.5 to 6.4.X duplicate suppression by entire raw header. Manpage bug found by Julian Bane debugging "duplicate message" behaviour. * ./configure no longer runs AC_LIB_LINKFLAGS (how to link) checks when called --without-ssl # FEATURE * fetchmail --version [fetchmail -V] now queries and prints the SSL/TLS library's "SSL default trusted certificate" file or directory (mind the word "default"), where the OpenSSL-compatible TLS implementation will look for trusted root, meaning certification authority (CA), certificates. NOTE 1: watch the output carefully if the line prints the defaults or the configured path (without "default"). NOTE 2: SSL_CERT_DIR and SSL_CERT_FILE are documented environment variables for OpenSSL 1.1.1 to override the *default* locations (those compiled into OpenSSL or possibly in its configuration file). This was added when Gene Heskett was debugging his setup and the information "where does OpenSSL look" was missing. * fetchmail --version now prints version of the OpenSSL library that it was compiled against, and that it is using at runtime, and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available). # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2021-01-06 18:17:15
|
(direct mail to Geoff and to list)
Geoff,
A happy new year!
Following up on myself (I never received a reply to my suggestions) I
can also say that it may worth trying 7.0.0-alpha7, which extends the
token buffer; there have been reports that Office 365 tokens are longer
than 2 kByte buffer, and 7.0.0-alpha7 or the "next" branch in Git for
now use a 4 kByte buffer. I have received a message via sourceforge from
what appears to be a Dutch or Flemish writer that he had success with
alpha6 with a "PASSWORDLEN" password buffer size of 4096 (which we use
to hold the OAUTH2 token for Google mail or MS Office 365). This is
PASSWORDLEN is a #define in fetchmail.h.
Regards,
Matthias
Am 13.11.20 um 01:04 schrieb Matthias Andree:
> Am 11.11.20 um 03:22 schrieb Geoff Bailey:
>> G'day all,
>>
>> I'm trying to use fetchmail with Office 365 and XOAUTH2 enabled. So far
>> unsuccessfully, alas. Anyway, this section in lines 650 to 662 of pop3.c
>> is not helping:
>>
>> if (ctl->server.authenticate == A_OAUTHBEARER)
>> {
>> if (has_oauthbearer || !has_xoauth2)
>> {
>> ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
>> }
>> if (ok != PS_SUCCESS && has_xoauth2)
>> {
>> ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
>> }
>> break;
>> }
>>
>> As you can see, if has_xoauth2 is true and has_oauthbearer is false, as it
>> is in this case, then a very old value of ok is incorrectly used and the
>> XOAUTH2 branch is skipped.
>>
>> The simplest adjustment would be to insert
>>
>> ok = PS_AUTHFAIL; /* anything other than PS_SUCCESS */
>>
>> or similar before the has_oauthbearer check.
>>
> Hi Geoff,
>
> thanks for the report. Does it help to rewrite the code as:
>
> if (ctl->server.authenticate == A_OAUTHBEARER)
> {
> if (has_oauthbearer || !has_xoauth2)
> {
> ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
> }
> else
> {
> ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
> }
> if (ok == PS_SUCCESS)
> break;
>
> }
>
> This will change behaviour however, in that there is no fall-through
> from OAUTHBEARER if it fails to XOAUTH2.
>
> Cheers,
> Matthias
>
>
>
> _______________________________________________
> Fetchmail-devel mailing list
> Fet...@li...
> https://lists.sourceforge.net/lists/listinfo/fetchmail-devel
|
|
From: Matthias A. <mat...@gm...> - 2021-01-03 21:10:13
|
Greetings, The 7.0.0-alpha7 release of fetchmail is now available at the usual locations, including <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/>. This is to have a tarball-based reference point, alpha6 had, well, aged quite a bit. The source archive is available at: <https://downloads.sourceforge.net/project/fetchmail/branch_7-alpha/fetchmail-7.0.0-alpha7.tar.xz/download> Here are the release notes: fetchmail-7.0.0 (not yet released): NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED! XXX and FIXME - see the big merge of 2019-08-25, and 2021-01-03 # INCOMPATIBLE CHANGES * The SSL/TLS options were massively changed and disentangled, to be clearer. * --sslmode starttls=must is now the default as a consequence of the previous sslcertck default. If you need an unencrypted connection, use --sslmode none. If you need an SSL-wrapped connection that starts immediately on a separate port, use --sslmode wrapped. * See the REMOVED FEATURES section below for further incompatibilities. # MAJOR CHANGES * The POP3 code now always uses UIDL, except if "fetchall" is in effect. Fixes BerliOS Bug #16172. Fixes Debian Bug#345788. The --uidl option is now gone. # FEATURES ADDED * fetchmail has initial support for OAUTH2, courtesy of Matthew M. Ogilvie. This requires a helper script (in Python) that ships in the contrib/ section. * Fetchmail can now retrieve credentials from PWMD. This needs to be enabled at compile-time and requires run-time configuration. See README.PWMD for details. Contributed by Ben Kibbey, author of libpwmd and pwmd. * Fetchmail can now run an external command to retrieve credentials (passwords), see the fetchmail man page for passwordeval. * Fetchmail now supports a retrieve-error command line or rcfile option that takes exactly one argument, abort (default), continue or markseen. This specifies the policy used by fetchmail to handle messages whose bodies fail to be retrieved due to server errors. Both the continue and markseen options will skip the message with errors and allow the session to continue so that subsequent messages can be retrieved. The markseen option will also mark the message with errors as seen. The default policy is to abort the session whenever a server error occurs. Contributed by Craig Brown. * Fetchmailconf offers CRAM-MD5 and APOP authentication. XXX FIXME: check * The SSL/TLS/STARTTLS operation mode is now selected through a new --sslmode option, which cleans up the incomprehensible --ssl and --sslproto mess of fetchmail versions before v7.0.0. * The SSL/TLS/STARTTLS protocol version can now be selected through a new --sslprotocolversion switch. * The SSL/TLS cipher in used is now reported in verbose mode. * FIXME: The SHA1 fingerprint is now printed along with the MD5 digest of the server's certificate; however, this can not yet be matched - matches are still against MD5 only. # REMOVED FEATURES * IMAP2 and POP2 protocol support were removed. * RPOP support (not actually a protocol, but a variant of POP3) was removed. * POP3: the (--)uidl option has been removed. It is always on. * POP3: LAST is no longer used. It was removed from POP3 in the year 1994, and it could cause mail loss when the connection was interrupted or if clients besides fetchmail polled the mailbox. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode have been removed. They were based on the mistaken assumption that the IMAP/POP3 server was also the MX server, which is rarely the case. They have never supported IPv6 (including IPv6-mapped IPv4) either. Non-DNS based alias keywords such as "aka" remain. * Kerberos IV support was removed. * The --ssl option is obsolescent and triggers a warning that users should use --sslmode wrapped instead. It is understood as an alias for --sslmode wrapped. * The --sslproto option was removed. Two new options were added in its place, --sslmode and --sslprotocolversion. * A lot of outdated and/or unsafe-to-use material got dropped from contrib/. # CHANGES * APOP is no longer a protocol, but an authentication method. In order to use it, use protocol POP3 auth APOP, or on the commandline, -p pop3 --auth apop. If no authentication method is specified, APOP is automatically tried if offered by the server before we resort to sending the password as clear text. -------------------------------------------------------------------------------- |
|
From: Matthias A. <mat...@gm...> - 2021-01-03 14:26:17
|
Greetings, The 6.5.0.beta2 release of fetchmail is now available at the usual locations, including <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>. The source archive is available at: <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.0.beta2.tar.xz/download> This is a deep link to the GnuPG signature: <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.0.beta2.tar.xz.asc/download> Here are the release notes: -------------------------------------------------------------------------------- fetchmail-6.5.0 (not yet released): ## REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. ## INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. ## CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL, at a minimum OpenSSL v1.1.1. ## BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond. This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level (1.1.1, or 10101) so as to compile with OpenSSL 3.0.0. (fetchmail was requesting to hide deprecated APIs.) ## CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. ## EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.0-alpha4. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. # KNOWN BUGS AND WORKAROUNDS (This section usually floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. -------------------------------------------------------------------------------- |
|
From: Matthias A. <mat...@gm...> - 2021-01-03 13:38:55
|
Greetings, and a happy new year 2021! The 6.4.15 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/branch_6.4/>. It contains a few bug fixes that were contributed via Gitlab. The source archive is available at: <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.15.tar.xz/download> <https://sourceforge.net/projects/fetchmail/branch_6.4/fetchmail-6.4.15.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.15.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.15.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.15.tar.lz)= 6f56d0c08278f190de840ae4d1affa767a2545b056e1993b8d3f80294bbf7ad3 SHA256(fetchmail-6.4.15.tar.xz)= 735b217474937e13cfcdea2d42a346bf68487e0d61efebe4d0d9eddcb3a26b96 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.15 (released 2021-01-03, 27614 LoC): # BUG FIXES * Fix a typo in the manual page reported by David McKelvie. * Fix cross-compilation with openssl, by Fabrice Fontaine. Merge request !23. * Fix truncation of SMTP PLAIN AUTH with ^ in credentials, by Earl Chew. Gitlab issue #23, merge request !25. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2020-11-26 10:35:08
|
Greetings, The 6.4.14 release of fetchmail is now available at the usual locations, including <https://sourceforge.net/projects/fetchmail/branch_6.4/>. It updates the Serbian translation and also the FAQ. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.14.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.14.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.14.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.14.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.14.tar.lz)= b84dba26e64b526515256a8ae705eb2bc5338b7fa1455c4c08410df20cc28ae6 SHA256(fetchmail-6.4.14.tar.xz)= 424707390f7cdc6d16db4887931117f2242873846b28cc1d0ae1c0ecf158bdcb Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.14 (released 2020-11-26): # TRANSLATION UPDATES were made by these fine people: * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the current release information) * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used, for instance, for mailbox sizes, and misreports sizes of 2 GibiB and beyond. Fixing this requires C89 compatibility to be relinquished. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. --------------------------------------------------------------------------------- By popular demand, diffs from the previous release have been omitted. Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2020-11-13 00:04:56
|
Am 11.11.20 um 03:22 schrieb Geoff Bailey:
> G'day all,
>
> I'm trying to use fetchmail with Office 365 and XOAUTH2 enabled. So far
> unsuccessfully, alas. Anyway, this section in lines 650 to 662 of pop3.c
> is not helping:
>
> if (ctl->server.authenticate == A_OAUTHBEARER)
> {
> if (has_oauthbearer || !has_xoauth2)
> {
> ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
> }
> if (ok != PS_SUCCESS && has_xoauth2)
> {
> ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
> }
> break;
> }
>
> As you can see, if has_xoauth2 is true and has_oauthbearer is false, as it
> is in this case, then a very old value of ok is incorrectly used and the
> XOAUTH2 branch is skipped.
>
> The simplest adjustment would be to insert
>
> ok = PS_AUTHFAIL; /* anything other than PS_SUCCESS */
>
> or similar before the has_oauthbearer check.
>
Hi Geoff,
thanks for the report. Does it help to rewrite the code as:
if (ctl->server.authenticate == A_OAUTHBEARER)
{
if (has_oauthbearer || !has_xoauth2)
{
ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
}
else
{
ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
}
if (ok == PS_SUCCESS)
break;
}
This will change behaviour however, in that there is no fall-through
from OAUTHBEARER if it fails to XOAUTH2.
Cheers,
Matthias
|
|
From: Geoff B. <ft...@gm...> - 2020-11-11 02:23:15
|
G'day all,
I'm trying to use fetchmail with Office 365 and XOAUTH2 enabled. So far
unsuccessfully, alas. Anyway, this section in lines 650 to 662 of pop3.c
is not helping:
if (ctl->server.authenticate == A_OAUTHBEARER)
{
if (has_oauthbearer || !has_xoauth2)
{
ok = do_oauthbearer(sock, ctl, FALSE); /* OAUTHBEARER */
}
if (ok != PS_SUCCESS && has_xoauth2)
{
ok = do_oauthbearer(sock, ctl, TRUE); /* XOAUTH2 */
}
break;
}
As you can see, if has_xoauth2 is true and has_oauthbearer is false, as it
is in this case, then a very old value of ok is incorrectly used and the
XOAUTH2 branch is skipped.
The simplest adjustment would be to insert
ok = PS_AUTHFAIL; /* anything other than PS_SUCCESS */
or similar before the has_oauthbearer check.
(This is not nearly sufficient to fix my problems, of course, but it at
least addresses a manifest error.)
Cheers,
Geoff.
|
|
From: Matthias A. <mat...@gm...> - 2020-10-25 14:00:25
|
Greetings, Fetchmail 6.4.13 has been released and is now available at the usual location, <https://downloads.sourceforge.net/project/fetchmail/branch_6.4/>. Please test it and report back. I'll send it off to the translation project in parallel. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.13.tar.lz)= 326dcea5b001ef11e1bf0e3e53da9a4dcb4069120772480fc16b8fa7683672b6 SHA256(fetchmail-6.4.13.tar.xz)= 7d28cf060b06b9c8ec72267be7edc9a99b70f61d7d32d8b609458dcedfa74be1 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.13 (released 2020-10-25, 27608 LoC): # BUG FIXES: * Errors about lock file (= pidfile) creation could be lost in daemon configurations (-d option, or set daemon) when using syslog. Now they are also logged to syslog. Found verifying a pidfile creation issue on 6.4.12 that was previously reported by Alex Hall of Automatic Distributors. * If the lock file cannot be removed (no write permission on directory), try to truncate it, and if that fails, report error. * If the pidfile was non-default, fetchmail -q or --quit would malfunction and claim no other fetchmail were running, because it did not read the configuration files or merge the command line options, thus it would look for the PID in the wrong file. # CHANGES: * Lockfile (= pidfile) creation errors are now logged with filename and reason. # TRANSLATION UPDATES were made by these fine people: * cs: Petr Pisar [Czech] * ja: Takeshi Hamasaki [Japanese] * sq: Besnik Bleta [Albanian] * zh_CN: Boyuan Yang [Chinese (simplified)] * sv: Göran Uddeborg [Swedish] * pl: Jakub Bogusz [Polish] * fr: Frédéric Marchal [French] * eo: Keith Bowes [Esperanto] * de: [German - by current maintainer] --------------------------------------------------------------------------------- Happy fetches, Matthias |
|
From: Matthias A. <mat...@gm...> - 2020-10-15 21:40:31
|
[URLs corrected for downloads and GnuPG signatures] Greetings, Fetchmail's 6.4.13 release CANDIDATE #2 is now available at the usual location, <https://downloads.sourceforge.net/project/fetchmail/branch_6.4/>. Please test it and report back. I'll send it off to the translation project in parallel. The source archive is available at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13-rc2.tar.xz/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13-rc2.tar.lz/download> Detached GnuPG signatures for the respective tarballs are at: <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13-rc2.tar.xz.asc/download> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/fetchmail-6.4.13-rc2.tar.lz.asc/download> SHA256 hash values for the tarballs: SHA256(fetchmail-6.4.13-rc2.tar.lz)= 045b6ce950423e7b76c8797555ccb8e0fa6ccf513aefeb2ddbbea98843487a97 SHA256(fetchmail-6.4.13-rc2.tar.xz)= 54f582b5b6034e681ca602120b2c865f8efb00768f0672998f3e6bcbe4a988d9 Here are the release notes: --------------------------------------------------------------------------------- fetchmail-6.4.13 (work in progress): # BUG FIXES: * Errors about lock file (= pidfile) creation could be lost in daemon configurations (-d option, or set daemon) when using syslog. Now they are also logged to syslog. Found verifying a pidfile creation issue on 6.4.12 that was previously reported by Alex Hall of Automatic Distributors. * If the lock file cannot be removed (no write permission on directory), try to truncate it, and if that fails, report error. * If the pidfile was non-default, fetchmail -q or --quit would malfunction and claim no other fetchmail were running, because it did not read the configuration files or merge the command line options, thus it would look for the PID in the wrong file. # CHANGES: * Lockfile (= pidfile) creation errors are now logged with filename and reason. # TRANSLATION UPDATES were made by these fine people (German was also updated): * cs: Petr Pisar [Czech] * ja: Takeshi Hamasaki [Japanese] * sq: Besnik Bleta [Albanian] * zh_CN: Boyuan Yang [Chinese (simplified)] * sv: Göran Uddeborg [Swedish] * pl: Jakub Bogusz [Polish] * de: [German - by current maintainer] --------------------------------------------------------------------------------- Happy fetches, Matthias |
147 messages has been excluded from this view by a project administrator.
