+* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
+ new messages and most of the range searches result in nothing. Instead, split
+ the long response to make the IMAP driver think that there are multiple lines
+ of response. (Sunil Shetye)
+* Do not print "skipping message" for old messages even in verbose mode. If
+ there are too many old messages, the logs just get filled without any real
+ activity. (Sunil Shetye) (suggested by Yunfan Jiang)
+* Build: fetchmail now always uses its own MD5 implementation rather than trying
+ to find a system library with matched header. The library and header variants
+ found on systems are too diverse, and the code size saving is not worth any
+ more wasted user or programmer time.
+
+# CHANGES
+* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
+* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
+ there is no portable way to configure actual timeouts for this mode, and some
+ systems only support a system-wide timeout setting. fetchmail does not
+ attempt to tune the time spans of keepalive mode.
+
+# TRANSLATION UPDATES
+ [cs] Chech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German (Matthias Andree)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+
+fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
+
+# ERRATUM NOTICE ISSUED
+* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
+ grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.
+
+# BUG FIXES
+* When specifying multiple local multidrop lists, do not lose wildcard flag.
+ (Affects "user foo is bar baz * is joe here")
+* In multidrop configurations, an asterisk can now appear anywhere in the list
+ of local users, not just at the end.
+* In multidrop mode, header parsing is now more verbose in -vv mode, so that it
+ becomes possible to see which header is used.
+* Make --antispam work from command line (these used to work in rcfiles).
+ Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
+* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
+ documents. Skip validating Mailbox-Names-UTF7.html. Several systems have
+ broken XHTML 1.1 DTD installations that jeopardize the build.
+ Reported by Mihail Nechkin against FreeBSD port.
+ Workaround for 6.3.18: build in a separate directory, i. e:
+ mkdir build && cd build && ../configure --options-go-here
+* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
+* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
+ and Derek Simkowiak via the fetchmail-users@ mailing list.
+* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
+ server capabilities do not show support for upgradation to TLS.
+ To use this, configure --sslproto tls1. (Sunil Shetye)
+* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
+ Yasin Malli to fetchmail-users@ 2010-12-10.
+ Note that fetchmail continues to expect literals as FETCH response for now.
+
+# DOCUMENTATION
+* The manual page now links to IANA for GSSAPI service names.
+
+# TRANSLATION UPDATES
+ [cs] Czech (Petr Pisar)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [pl] Polish (Jakub Bogusz)
+
+
+fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
+
+# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
+* Fetchmail now only accepts wildcard certificate common names and subject
+ alternative names if they start with "*.". Previous versions would accept
+ wildcards even if no period followed immediately.
+* Fetchmail now disallows wildcards in certificates to match domain literals
+ (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
+ The test is overly picky and triggers if the pattern (after skipping the
+ initial wildcard "*") or domain consists solely of digits and dots, and thus
+ matches more than needed.
+* Fetchmail now disallows wildcarding top-level domains.
+
+# CRITICAL BUG FIXES AND REGRESSION FIXES
+* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
+ functions, as an effect of an undocumented Solaris MD5 fix.
+ This caused all MD5-related functions to malfunction if, for instance,
+ libmd5.so was installed on other operating systems as part of libwww on
+ machines where long isn't 32-bits, i. e. usually on 64-bit computers.
+ Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
+ Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
+* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
+ --sslfingerprint was specified. This is an omission from an SSL usability
+ change made in 6.3.17.
+ Fixes Debian Bug#580796 reported by Roland Stigge.
+* Fetchmail will now apply timeouts to the authentication stage.
+ This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
+ Reported missing by Thomas Jarosch.
+* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
+ errors, such as no or unsuitable credentials.
+ It now sends an asterisk on a line by its own, as required in SASL.
+ This fixes protocol synchronization issues that cause Authentication
+ failures, often observed with kerberized MS Exchange servers.
+ Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
+ fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.
+
+# BUG FIXES
+* Fetchmail will no longer print connection attempts and errors for one host
+ in "silent" and "normal" logging modes, unless all connections fail. This
+ should reduce irritation around refused-connection logging if services are
+ only on an IPv4 socket if the host also supports IPv6. Often observed as
+ connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
+ then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
+ all connect errors and only report them if all of them fail.
+* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
+ credentials. However, if GSSAPI authentication is requested explicitly,
+ fetchmail will always try it.
+* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
+ RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
+* The manual page clearly states that --principal is for Kerberos 4 only, not
+ for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
+
+# CHANGES
+* When encountering incorrect headers, fetchmail will refer to the bad-header
+ option in the manpage.
+ Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
+* Fetchmail now decodes and reports GSSAPI status codes upon errors.
+* Fetchmail now autoprobes NTLM also for POP3.
+* The Fetchmail FAQ has a new item #R15 on authentication failures.
+
+# INTERNAL CHANGES
+* The common NTLM authentication code was factored out from pop3.c and imap.c.
+
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+
+fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
+
+# SECURITY FIX
+* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
+ external input (mail headers and UID). When a multi-character locale (such as
+ UTF-8) was in use, this could cause memory exhaustion and thus a denial of
+ service, because fetchmail's report.c functions assumed that non-success of
+ [v]snprintf was due to insufficient buffer size allocation. It would then
+ repeatedly reallocate a larger buffer and fail formatting again.
+ See fetchmail-SA-2010-02.txt.
+
+# FEATURES
+* Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
+ file (a file that contains trusted CA certificates). Since these bundled CA
+ files do not require c_rehash to be run, they are easier to use and immune to
+ OpenSSL library updates that affect the hash function.
+* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
+ environment variable to force loading the default SSL CA certificate
+ locations even if --sslcertfile or --sslcertpath is used.
+ If neither option is in effect, fetchmail loads the default locations.
+
+# REGRESSION FIX
+* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
+ run control file in certain circumstances. Fixes BerliOS bug #14257.
+ Patch by Michael Banack. This fixes a regression introduced before 6.3.0.
+
+# BUG FIXES
+* Plug memory leak when using a "defaults" entry in the run control file.
+* Do not print SSL certificate mismatches unless verbose or --sslcertck is
+ enabled.
+* Do not lose "set invisible" in fetchmailconf. (Michael Barnack)
+
+# CHANGES
+* Usability: SSL certificate chains are fully printed in -v -v mode, and there
+ are now helpful pointers to --sslcertpath and c_rehash for "unable to get
+ local issuer certificate" and self-signed certificates -- these usually hint
+ to missing root signing CAs in the certs directory.
+* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
+* Memory allocation failures will now cause abnormal program abort (SIGABRT),
+ no longer an exit with unspecified code.
+* Print a warning if certificate verification failed and the user did not
+ specify --sslcertck.
+
+# DOCUMENTATION
+* Fix table of global option to read "set softbounce" where there used to be a
+ 2nd copy of "set spambounce". Patch by Michael Banack, BerliOS Bug #17067.
+* In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X
+ to 1.0.0 upgrade in particular) may require running c_rehash.
+
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [id] Indonesian (Andhika Padmawan)
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+ [vi] Vietnamese (Clytie Siddall)
+
+
+fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):
+
+# BUG FIX
+* Fix --interface option, broken in 6.3.15. Reported by Vladmimir Stavrinov.
+ Fixes Debian Bug #576717.
+
+# CHANGE
+* Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory
+ and non-standard algorithms in certificates.
+ Sjoerd Simons, to fix Debian Bug #576430.
+ OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default.
+ Reported as OpenSSL RT#2224.
+