[Fetchmail-announce] The 6.6.5 security fix release of fetchmail is available (fixes RPA buffer sizing)

[Matthias A. <mat...@gm...>]

The 6.6.5 release of fetchmail is now available at the usual locations,
including <https://downloads.sourceforge.net/project/fetchmail/branch_6.6/>.

The source archive is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.6/fetchmail-6.6.5.tar.xz/download>

The detached GnuPG signature is available at:
<https://downloads.sourceforge.net/project/fetchmail/branch_6.6/fetchmail-6.6.5.tar.xz.asc/download>

The SHA256 hashes for the tarballs are:
SHA2-256(fetchmail-6.6.5.tar.xz)= ab0320fe4df0b5ee8659189e66590d9de96aadbf929fe59f353ae7a317e9ef1e


Here are the release notes:
--------------------------------------------------------------------------------
fetchmail-6.6.5 (released 2026-06-17, 32433 LoC):

## SECURITY BUGFIX
* POP3 with RPA: fix calculation of buffer sizes to avoid buffer overflow
  on long service challenges with long user IDs, which would smash our stack.
    Triggering this requires that 1. RPA is enabled at compile time
  (non-default, which is discouraged in autotools, and possible but not
  documented nor supported in meson), and the username (--user option, or user
  in the rcfile) contains @compuserve.com anywhere, and the server supports an
  AUTH command without arguments (which is a non-standard local extension), and
  that it offers RPA authentication in response to that command.

  This was reported based on an incomplete semi-wrong AI report with an
  incomplete fix "recommendation" by zha...@ou... via
  fetchmail-devel@.  The fix suggested in that AI report was wrong, and
  would happily crash a few lines later again.  The fix deployed calculates
  the buffer size of "workarea" variables based on the sizeof() of constituent
  components.

## BUGFIX
* Robustness: If RPA is enabled at compile time and POP3 is in use,
  do not barf if @compuserve.com is in the remote site's username (what you'd
  pass as --user, or user in the rcfile) and the remote site either does not
  support an "AUTH" command without parameters (normally, one is required, but
  some servers such as jpop and Cyrus allow AUTH to request the list of
  supported authentication types as an extension; the standard way would be
  a "CAPA" request instead), but try other authentication methods.
  Found by code auditing in response to a bug report against rpa.c.
  Note that enabling RPA is discouraged because it is based on the weak
  MD5 crypto algorithm.

-------------------------------------------------------------------------------