[Fetchmail-users] ANNOUNCE: fetchmail 6.5.5 released (more C23/GCC15 fixes, more clearing of secrets in memory)

[Matthias A. <mat...@gm...>]

The 6.5.5 release of fetchmail is now available at the usual locations,
including <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>.

Note this re-enables DNS-based features on ./configure-based builds with
GCC 15 and other compilers that implement C23 by default.

The source archive is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.5.tar.xz/download>

The detached GnuPG signature is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.5.tar.xz.asc/download>

The SHA256 hashes for the tarballs are:
SHA2-256(fetchmail-6.5.5.tar.xz)= f989b62729c76afbcd65ec43b9c477f2d990f0913da141ff8166aa4e2bf56025


Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.5.5 (released 2025-09-24, 31528 LoC):

## LICENSING CHANGE OF WOLFSSL:
* Note that wolfSSL 5.8.2 switched license from GPLv2 to GPLv3, so if
  a distribution links fetchmail against wolfSSL, this implies the use
  of the "or-any-later-version" clause of the GPLv2-or-later licensed material
  in fetchmail, and the combined work can also only ship as GPLv3.
  This may or may not apply to later versions of wolfSSL - be sure to check!
  
## BUGFIXES:
==-- note that these comprise C23 compatibility fixes (GCC 15) --==
* Support t.operation when the running user is different from the one
  mentioned in the $USER variable.  Fix courtesy of Corey Halpin.
* The kerberos*_auth() functions for v4 and v5 have prototypes now,
  so they can be compiled by the most modern C compilers.
* AC_TYPE_* type-checking macros seem unnecessary, strip them, also from
  config.h.meson which would not fill them from build.meson. We expect
  the operating system to provide us pid_t, size_t, uint32_t.
* Our res_search() autoconf check was broken on compilers adhering to newer
  standards (C23), for instance GCC 15, disabling several DNS-based features
  in autotools-based builds, but not meson-based builds.
  Strip the bogus "extern int res_search();" declaration without prototype,
  we would need to have the prototype from the system either way.

## IMPORTANT CHANGE:
* Fetchmail is now more careful to actually clear password and like buffers
  in memory, so that is less likely that other processes could access them
  should they happen to access similar memory regions after fetchmail's exit.
    Fetchmail now uses memset_explicit(), explicit_bzero(), or its own
  explicit_bzero() implementation to clear memory buffers that contain
  passwords or like secrets, or their base64 equivalents, and also buffers
  that it uses to visualize such strings, instead of just using memset().
    The motivating reason is that a plain memset() that does not have
  /observable/ effects, i. e. when we do not read from the buffer or
  transfer it, can be removed by the compiler's optimizer in the so-called
  dead store elimination, voiding our attempt to clear the buffer contents
  before releasing it to the heap.
    The named alternative functions are not being optimized away.

## WORKAROUND:
* IMAP: Recognize SASL_IR advertisement of Cyrus IMAP 3.10.0...3.12.? as
  synonymous to SASL-IR per RFC4959.  Upstream bug reported at
  https://github.com/cyrusimap/cyrus-imapd/issues/5481 - and it was
  quickly fixed in all their supported branches by patch releases.

## CHANGES:
* Several documentation tweaks.
* As long as SOURCE_DATE_EPOCH is set, the source tarball build may
  be reproducible now.  Tested on Fedora 42.
* The Japanese translation [ja] has been updated by Takeshi Hamasaki.
* The Makefile should be compatible across a wider set of make implementations,
  beyond GNU make.

-------------------------------------------------------------------------------