[fetchmail-users] fetchmail 6.3.6 security fix release

[Matthias A. <mat...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings and a happy new year,

I am announcing the release of fetchmail 6.3.6. This new stable version
of fetchmail fixes a major and a minor security issue (CVE-2006-5867 and
CVE-2006-5974), fixes some regressions that appeared in 6.3.5 and other
minor bugs.

- -----------------------------------------------------------------------
NOTE THAT THE CCIL.ORG MAILING LISTS ARE DEPRECATED AND NO LONGER
ACCEPT POSTINGS OR SUBSCRIPTIONS. Please subscribe to the new lists at
<https://developer.berlios.de/mail/?group_id=1824>:
- - for fetchmail-announce subscribers: subscribe to fetchmail-announce
- - for fetchmail-friends subscribers: subscribe to fetchmail-users
- -----------------------------------------------------------------------

The software is available from:
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=11977>

The fetchmail home pages are:
<http://www.fetchmail.info/>  or  <http://fetchmail.berlios.de/>

These are the relevant changes in 6.3.6 since 6.3.5;
unless otherwise noted, changes to this release were made by Matthias Andree:

fetchmail 6.3.6 (released 2007-01-04):

# SECURITY FIXES:
* CVE-2006-5867, fetchmail-SA-2006-02.txt:
  Password disclosure vulnerability fixed. This has several aspects:

  - Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
    options are used and the ssl option is not used, in order to be sure that
    fetchmail gets a certificate from the mail server.

  - Fetchmail breaks the connection if the TLS negotiation (or verification, if
    requested) fails with sslproto 'tls1', sslfingerprint or sslcheck enabled.

  - POP3 connections now use STLS reliably. They used to ignore STLS altogether
    for serveral values of the "auth" option, when fetchmail forget to probe
    server capabilities - see fetchmail-SA-2006-02.txt for details.

  - POP3 connections will no longer fall back USER/PASS authentication if
    strong challenge-response authenticators such as CRAM-MD5 are configured
    but the server does not advertise these in its CAPA response.

  - POP2 is obsolete and does not support STLS or anything beyond password-based
    authentication. The attempt to use STLS or strong authenticators now causes
    connection abort.

  Configurations using both ssl and sslcertck however have been semi-safe in
  that they would send the password in the clear. The USER/PASS fallback
  problem however applies to these too, so that the password was only change on
  trustworthy servers.

* CVE-2006-5974, fetchmail-SA-2006-03.txt:
  Repairs a regression in 6.3.5 that crashes fetchmail when a message with
  invalid headers is found while fetchmail's mda option is in use. BerliOS bugs
  #9364, #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.

# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS:
(There are no plans to remove these features from a 6.3.X release, but they may
be removed from a 6.4.0 or newer release.)
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
  are based on assumptions that are rarely met in practice, somewhat defective,
  deprecated and may be removed from a future fetchmail version.  They have
  never supported IPv6 (including IPv6-mapped IPv4).
  Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
  version as they are not reasonably portable.
* POP2 is obsolete, support will be removed from a future fetchmail version.
* RPOP is obsolete, support will be removed from a future fetchmail release.
* --sslcertck will become a default setting in a future fetchmail version.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
  is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
  the Received header was never meant to be machine-readable, the format varies
  widely, and various other differences in behavior make parsing Received an
  unreliable undertaking. The envelope option as such will remain though, in
  order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
  See also <http://home.pages.de/~mandree/mail/multidrop>.
* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed
  from a future fetchmail release, because it makes fetchmail's behavior
  inconsistent and confusing.
* The "protocol auto" default inside fetchmail may be removed from a future
  fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
  cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
  removed or operation on such systems may be suboptimal for future releases.

# REGRESSION FIXES (recently introduced bugs):
* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
  reported by Brian Harring.
* Repair --user, broken in 6.3.5 (as a side effect of the authenticate external
  patch): using SSL certificate/key authentication overrode the --user option.
  Now the latter takes precedence, and only defaults to the certificate's common
  name.  Debian Bug #400950, reported by Jorgen Schaefer <fo...@de...>.

# BUG FIXES (long-standing bugs):
* RPOP: used to log the password locally rather than an asterisk as the other
  protocols do. The password is now shrouded in the local logs.
* POP3: Probes capabilities now when Kerberos V5 is enabled, so that we can
  actually detect if the server supports it.
* Robustness: If a stale lockfile cannot be deleted, truncate it so that
  fetchmail doesn't later believe itself to be running if the PID is recycled
  by a non-fetchmail process.
* DNS: Detect /etc/resolv.conf changes: On systems that have res_search(),
  assume we also have res_init() and call it (suggested by Ulrich Drepper,
  glibc bug #3675) in order to make libc or libresolv reread the resolver
  configuration at the beginning of a poll cycle.  This is important when
  fetchmail is in daemon mode and /etc/resolv.conf is changed later by dhcpcd,
  dhclient, pppd, openvpn or other ip-up/ipchange scripts.  Should fix Debian
  Bug#389270, Bug#391698.
* Robustness: Fix crash on systems that do not provide strdup(), the crash
  happens only in out-of-memory conditions when fetchmail cannot proceed
  anyways.  Patch by Andreas Krennmair.
* Robustness: When HOME and FETCHMAILHOME are unset, be sure to copy user
  database information, so it is not trashed later. Patch by Jim Correia.

# CHANGES:
* Workaround: Improve handling of IMAP IDLE, some servers do not reset their
  time counters after sending information asynchronously. Patch by Sunil
  Shetye, after report from Andrew Baumann.
* Usability: When requesting Kerberos or GSSAPI, complain and exit with syntax
  error if any of these requested features has not been compiled in.  This is
  to fail early and with precise error message. Reported by Isaac Wilcox.
* --version will now add +KRB4 or +KRB5 if Kerberos v4 or v5, respectively, have
  been compiled in. Reported missing by Isaac Wilcox.

# TRANSLATIONS:
* New en_GB (British English) translation by David Lodge.
* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
  Maryanov) and Vietnamese (Clytie Siddall) translations.
! Note that not all these translations are complete -- this isn't the
  translators' fault though, but due to delays at the BerliOS hosting site and
  the translation project handlers. You may see a few untranslated messages.

# DOCUMENTATION:
* Dropped exit status 15 from manual page, it's not used by fetchmail.
  Reported by Isaac Wilcox.
* Documented exit codes 24 - 29 as internal.

# KNOWN BUGS AND WORKAROUNDS:
  (this section floats upwards through the NEWS file so it stays with the
  current release information)
* fetchmail does not handle messages without Message-ID header well
  (See sourceforge.net bug #780933)
* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
  64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
  fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
  so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail expects Received: headers in a particular, but undocumented, format
  when parsing envelopes.
* fetchmail does not track pending deletes over crashes
* the command line interface is a bit narrow-minded sometimes, for instance,
  fetchmail -s doesn't work with a running daemon
* some of the logging output is not very helpful
* some of the documentation is still not up to date

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFnthUvmGDOQUufZURAqyCAJ9M9o7uj3rH4cnU7teWvqQdb6vjQgCg7v0L
OaufKzrR7WwaKC28lUepevw=
=3FrE
-----END PGP SIGNATURE-----