[Fetchmail-users] ANNOUNCE: fetchmail 6.5.6 SECURITY FIX released and fetchmail-SA-2025-01.txt security announcement (fix for SMTP AUTH potential crash, other bugfixes)

[Matthias A. <mat...@gm...>]

The 6.5.6 release of fetchmail is now available at the usual locations,
including <https://downloads.sourceforge.net/project/fetchmail/branch_6.5/>.

The source archive is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.6.tar.xz/download>

The detached GnuPG signature is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.5/fetchmail-6.5.6.tar.xz.asc/download>

The SHA256 hashes for the tarballs are:
SHA2-256(fetchmail-6.5.6.tar.xz)= ec10e0e0eaa417313559379ede76c74614766d838b39470b66474863aa690dab


Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.5.6 (released 2025-10-03, 31795 LoC):

## SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
  An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
  authenticate (esmtpname and esmtppassword given and non-empty), the server
  might crash fetchmail by sending a "334" response without further blank to
  fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
    Fetchmail now detects this situation and reports it separately as
  malformed server reply.
    Fetchmail 6.5.6 has been released without waiting for translation updates
  or CVE identifier, these will be provided in followup releases.

## BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
  is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
  format that as such in the SMTP RCPT command as user@[192.0.2.2] or
  user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
  another copy of our program name and date in the middle of a log line.

  Workaround for older versions: --logfile /dev/tty  (might also use
  --logfile /dev/stderr) - but note this changes buffering behavior and may
  output to appear later and without ticker marks.
* A few low-priority memory leaks in the command-line options parser were
  fixed. Since this parser runs only once, leaks are harmless.
* Some minor code cleanups and robustness fixes were made, and we should
  see fewer compiler warnings as a result.

## CHANGES:
* Given the slow update schedules of some distributions, already add code
  that checks if time_t() is good beyond the year 2038,
  meaning time_t is either unsigned (which would last until 2106) or
  64 bits wide.  If the system isn't safe, warn on every launch of fetchmail
  beginning 2028-01-01 at 00:00 GMT so users have 10 years to plan.
  Fetchmail will also print a warning if time(time_t *t) overflows.

-------------------------------------------------------------------------------