[Fetchmail-devel] fetchmail-6.4.0.beta5 released - please test

[Matthias A. <mat...@gm...>]

Greetings,

I have released fetchmail-6.4.0.beta5, it is available from
sourceforge.net, see:
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>

I have mailed the URL of the tarball to the translation project, and
solicit thorough testing,
I plan to not hold off on the release much longer, no matter what the
TODO.txt says for 6.4.0.
We need to get the SSL changes and other important fixes out the door,
and as translations
show up, I plan to release a candidate for a 6.4.0 release.

This is taken from the NEWS file. Changes since 6.4.0.beta4 are marked
with a "+"
- some were older but undocumented so far:

>  ## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION
>  * Fetchmail no longer supports SSLv2.
>  
>  * Fetchmail no longer attempts to negotiate SSLv3 by default,
>    even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1
> or a newer
>    TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with
>    STARTTLS).  If the OpenSSL version used at build and run-time
> supports these
>    versions, --sslproto ssl3 and --sslproto ssl3+ can be used to
> re-enable SSLv3.
>    Doing so is discouraged because the SSLv3 protocol is broken.
>  
>    Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug
> #768843.
>  
>    While this change is supposed to be compatible with common
> configurations,
>    users may have to and are advised to change all explicit --sslproto
> ssl2
>    (change to newer protocols required), --sslproto ssl3, --sslproto
> tls1 to
>    --sslproto auto, so that they can benefit from TLSv1.1 and TLSv1.2
> where
>    supported by the server.
>  
>    The --sslproto option now understands the values auto, ssl3+,
> tls1+, tls1.1,
>    tls1.1+, tls1.2, tls1.2+, tls1.3, tls1.3+ (case insensitively), see
> CHANGES
>    below for details.
>  
>  * Fetchmail defaults to --sslcertck behaviour. A new option
> --nosslcertck to
>    override this has been added, but may be removed in future
> fetchmail versions
>    in favour of another configuration option that makes the insecurity
> in using
>    this option clearer.
>  
>  ## SECURITY FIXES
>  * Fetchmail prevents buffer overruns in GSSAPI authentication with
> user names
>    beyond c. 6000 characters in length. Reported by Greg Hudson.
>  
>  ## CHANGES
>  * fetchmail 6.3.X is unsupported.
>  * fetchmail now requires OpenSSL v1.0.2 or newer.
>  * fetchmail now configures OpenSSL support by default.
> +* fetchmail now supports a pure OpenSSL v1.1.0 API with deprecated
> functions
> +  disabled.
>  * Fetchmail now supports --sslproto auto and --sslproto tls1+ (same
> as ssl23).
> +* --sslproto tls1.1+, tls1.2+, and tls1.3+ are now supported for
> +  auto-negotiation with a minimum specified TLS protocol version, and
> --sslproto
> +  tls1.1, --sslproto tls1.2 and --sslproto tls1.3 to force the
> specified TLS
> +  protocol version. Note that tls1.3 requires OpenSSL v1.1.1 or newer.
>  * Fetchmail now detects if the server hangs up prematurely during
> SSL_connect()
>    and reports this condition as such, and not just as SSL connection
> failure.
>    (OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry
> Seibert).
>  * A foreground fetchmail can now accept a few more options while
> another copy is
>    running in the background.
>  * fetchmail now handles POP3 --keep UID lists more efficiently, by
> using Rainer
>    Weikusat's P-Tree implementation. This reduces the complexity for
> handling
>    a large UIDL from O(n^2) to O(n log n) and becomes noticably faster
> with
>    thousands of kept messages. (IMAP does not track UIDs and is
> unaffected.)
>    At the same time, the UIDL emulation code for deficient servers has
> been
>    removed. It never worked really well.  Servers that do not
> implement the
>    optional UIDL command only work with --fetchall option set, which
> in itself is
>    incompatible with the --keep option (it would cause message
> duplication).
> +* fetchmail, when setting up TLS connections, now uses
> SSL_set_tlsext_host_name()
> +  to set up the SNI (Server Name Indication). Some servers (for instance
> +  googlemail) require SNI when using newer SSL protocols.
> +* fetchmail will drop the connection when fetching with IMAP and
> receiving an
> +  unexpected untagged "* BYE" response, to work around certain faulty
> servers.
> +* Fetchmail now sets the expected hostname through OpenSSL 1.0.2's new
> +  X509_VERIFY_PARAM_set1_host() function to enable OpenSSL's native
> certificate
> +  verification features.
> +* The FETCHMAIL_POP3_FORCE_RETR environment variable is now documented,
> +  it forces fetchmail, when talking POP3, to always use the RETR command,
> +  even if it would otherwise use the TOP command.
> +* Fetchmail's configure stage will try to query pkg-config or pkgconf
> for libssl
> +  and libcrypto, in case other system use .pc files to document
> specific library
> +  dependencies. (contributed by Fabrice Fontaine, GitLab merge
> request !14.)
> +* The gethostbyname() API calls and compatibility functions have been
> removed.
>  
>  ## FIXES
>  * Fix a typo in the FAQ. Submitted by David Lawyer, Debian Bug#706776.
>  * Do not translate header tags such as "Subject:".  Reported by
> Gonzalo Pérez de
>    Olaguer Córdoba, Debian Bug#744907.
>  * Convert most links from berlios.de to sourceforge.net.
>  * Report error to stderr, and exit, if --idle is combined with multiple
>    accounts.
>  * Point to --idle from GENERAL OPERATION to clarify --idle and multiple
>    mailboxes do not mix.  In response to Jeremy Chadwick's trouble
> 2014-11-19,
>    fetchmail-users mailing list.
>  * Fix SSL-enabled build on systems that do not declare
> SSLv3_client_method(),
>    or that #define OPENSSL_NO_SSL3 inside #include <openssl/ssl.h>
>    Related to Debian Bug#775255. Fixes Debian Bug #804604.
>  * Version report lists -SSLv3 on SSL-enabled no-ssl3 builds.
>  * Fetchmail no longer adds a NUL byte to the username in GSSAPI
> authentication.
>    This was reported to break Kerberos-based authentication with Microsoft
>    Exchange 2013 by Greg Hudson.
> +* Set umask properly before writing the .fetchids file, to avoid
> failing the
> +  security check on the next run.  Reported by Fabian Raab, Debian
> Bug#831611.
> +* When forwarding by LMTP, also check antispam response code when
> collecting
> +  the responses after the CR LF . CR LF sequence at the end of the
> DATA phase.
> +  (Contributed by Evil.2000, GitLab merge request !12.)
> +* fetchmail will not try other protocols after a socket error. This
> avoids
> +  mismatches of how different prococols see messages as "seen" and
> re-fetches
> +  of known mail.  (Fix contributed by Lauri Nurmi, GitLab Merge
> Request !10.)
>  
>  # KNOWN BUGS AND WORKAROUNDS
>    (This section floats upwards through the NEWS file so it stays with the
>    current release information)
>  * Fetchmail does not handle messages without Message-ID header well
>    (See sourceforge.net bug #780933)
>  * BSMTP is mostly untested and errors can cause corrupt output.
>  * Sun Workshop 6 (SPARC) is known to miscompile the configuration
> file lexer in
>    64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
>    fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
>    so compiling 32-bit SPARC code should not cause any difficulties.
>  * Fetchmail does not track pending deletes across crashes.
>  * The command line interface is sometimes a bit stubborn, for instance,
>    fetchmail -s doesn't work with a daemon running.
>  * Linux systems may return duplicates of an IP address in some
> circumstances if
>    no or no global IPv6 addresses are configured.
>    (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
>  * Kerberos 5 may be broken, particularly on Heimdal, and provide
> bogus error
>    messages. This will not be fixed, because the maintainer has no
> Kerberos 5
>    server to test against. Use GSSAPI.

Happy fetches,
Matthias