(The `lines' figures total .c, .h, .l, and .y files under version control.
Names in parentheses are the maintainers who handled the respective change.
-Abbreviations: MA = Matthias Andree, RF = Rob Funk)
+Abbreviations: MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk)
fetchmail 6.3.0 (not yet released officially):
-* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
-* PopDel.py removed from contrib at author's request.
-* Matthias Andree's fix for Sunil Shetye's fetch-split patch
-* Include James Stone's moldremover.py script.
-* Enable .fetchmailrc permissions checking under Cygwin.
-* Nalin Dahyabai's fix for POP3 strong authentication.
+# SECURITY FIX
+* The POP3 UIDL code doesn't sufficiently validate/truncate the input
+ length, so a (malicious or compromised) server that sends UIDs longer
+ than 128 bytes can corrupt fetchmail's stack and crash fetchmail.
+ This vulnerability is remotely exploitable to inject code run in a
+ root shell. This is tracked under the CVE Name: CAN-2005-2335
+
+# MAJOR INCOMPATIBLE CHANGES
+* Remove support for --netsec/-T options, the required inet6_apps library is no
+ longer available.
+ http://www.inner.net/pub/ipv6/ states, as of 2005-07-03: "/pub/ipv6
+ Our IPv6 software is now long defunct. Please find a more modern source."
+ I haven't been able to find a more modern source. Matthias Andree
+* Operating systems that do not conform to the Single Unix Specification v2
+ (1997) or v3 (2001, aka IEEE Std 1003.1-2001) are no longer supported. They
+ may continue to work and non-intrusive patches to support them may be
+ accepted. Matthias Andree
+
+# OBSOLETION WARNINGS
+* The MX and host alias lookups that fetchmail performs in multidrop mode are
+ obsolete, deprecated and may be removed from a future fetchmail version
+ without further notice. Their support for IPv6 (including IPv6-mapped IPv4)
+ is unspecified. Matthias Andree
+* The monitor and interface options may also be removed from a future fetchmail
+ version as they are not sufficiently portable.
+
+# OTHER USER-VISIBLE CHANGES
+* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP. (ESR)
+* PopDel.py removed from contrib at author's request. (ESR)
+* Matthias Andree's fix for Sunil Shetye's fetch-split patch. (ESR)
+* Include James Stone's moldremover.py script. (ESR)
+* Enable .fetchmailrc permissions checking under Cygwin. (ESR)
+* Nalin Dahyabai's fix for POP3 strong authentication. (ESR)
* Revised Nalin Dahyabai's fix for POP3 strong authentication (the
original version would go into an infinite loop when CAPA failed;
found by David Greaves.) (MA)
-* HOME_ETC patch for PLD Linux.
-* Sunil Shetye's fix for SSL configuration.
-* Simon Josefsson's patch for GSS library support.
-* Added Andrey Lelikov's recipe for Hotmail and Lycos Webmail.
+* HOME_ETC patch for PLD Linux. (ESR)
+* Sunil Shetye's fix for SSL configuration. (ESR)
+* Simon Josefsson's patch for GSS library support. (ESR)
+* Added Andrey Lelikov's recipe for Hotmail and Lycos Webmail. (ESR)
* Remove blank between MAIL FROM: and <, which causes Cyrus to complain.
Patch by Phil Endecott. (RF)
-* Switched to automake. (MA)
* Build fixes for HESIOD and resolv.h trouble on FreeBSD. (MA)
* Fabrice Bellet's fix for Red Hat bug #113492, fetchmail hangs in IMAP
mode after EXPUNGE when the server (Dovecot 0.99.10) doesn't update
RECENT and EXISTS counts. (MA)
* Holger Mauermann's bounce patch, to use a NULL envelope from, not
write a Return-Path header (both to meet RFC-2821), changed From,
- added Subject header, rewording the human readable part. (MA)
+ added Subject header, rewording the human readable part. Fixes Debian
+ bug #316446. (MA)
* Merge Sunil Shetye's time.h handling fix. (MA)
* Merge Gerd von Egidy's patch to avoid a segfault in multidrop/received
mode when the Received: headers are malformatted. (MA)
* Clean up the horrible #ifdef HAVE_[V]SNPRINTF that made the code
unreadable. Use Trio where [v]snprintf is/are missing. (MA)
* Default to Linux 2.2 /proc/net/dev format, and use uname(2) to determine the
- kernel version instead of calling uname(1). Thanks to Paul Slootman.
- (MA)
+ kernel version instead of calling uname(1). Thanks to Paul Slootman. (MA)
* Be more careful when swapping UID lists or writing the .fetchids file,
requested by Manfred Weihs. (MA)
* Print a warning if multidrop configuration is attempted without
* Dropped da=Danish, el=Greek, ja=Japanese, sq=Albanian and tr=Turkish
translations which have more than 10% (61+) untranslated or fuzzy
messages. Matthias Andree.
+* Skip sending POP3 PASS command when USER command failed. Matthias Andree.
+* Run fetchmail.man through automatic spell checker. Matthias Andree.
+* Major fetchmail(1) manual page overhaul by R. Hannes Beinert, to
+ clarify singledrop vs. multidrop operation. (MA)
+* Make tracepolls a server option, as documented. Fixes Debian bug
+ #156094. Matthias Andree.
+* Updated some translations. (MA)
+* Fix some minor inaccuracies (RFC-1893 related, grammar/spelling) in
+ the manual page.
+* Rename ESR's design notes to esrs-design-notes.html and add a new
+ design-notes.html document. The NOTES file will contain both of them.
+ Matthias Andree.
+* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
+ fails. Fix suggested Goswin Brederlow. (MA)
+* Really fix Debian Bug#207919 (garbage in Received: lines when smtphost set),
+ patch by Tobias Diedrich. The 6.2.5 NEWS claimed Gregan's patch had fixed
+ #207919 but it had fixed #212484 instead and #207919 remained unfixed in
+ 6.2.5. The entry below has been corrected to read #212484 now. (MA)
+* When writing the PID file, write a FHS 2.3 compliant PID file.
+ Fixes Debian bug #230615. Matthias Andree.
+* Make ODMR really silent, suppress "fetchmail: receiving message
+ data". Fixes Debian Bug#296163. Matthias Andree.
+* Add From: header to warning emails. Debian Bug#244828. Matthias Andree.
+* Fix IMAP code to use password of arbitrary length from configuration
+ file (although not when read interactively). Debian Bug#276424.
+ Matthias Andree
+* Document that fetchmail may automatically enable UIDL option.
+ Debian Bug#304701. Matthias Andree.
+* Put *BOLD* text into the manual page near --mda to state unmistakably that
+ the --mda %T and %F substitutions add single quotes, hoping to avoid bogus
+ bug reports such as Debian Bug #224564. Matthias Andree
+* Rename lock_release to fm_lock_release, to avoid namespace collision on
+ Darwin. NetBSD PR#28543 (pkg/28543). Matthias Andree.
+* The RFC-822 parser no longer strips the last character of bare addresses.
+ Matthias Andree
+* The IP address matching code was broken and
+ 1. didn't search exhaustively, but matched only the first IP address of the
+ server's queryname against the IP addresses of the server name to match.
+ 2. didn't match IP aliases versus MX hosts. Matthias Andree
+* gettext (intl/) has been removed from the fetchmail package. Install GNU
+ gettext 0.14 separately for NLS (i18n). Matthias Andree
+* fetchmailconf is now a shell wrapper that calls the byte-compiled
+ fetchmailconf.py script, which is now installed in the regular python
+ directory. Matthias Andree.
+* The "port" option, while still understood, is being replaced by the "service"
+ option, which is now supported even without --enable-inet6. Matthias Andree.
+* The default distribution format is now bzip2. Matthias Andree.
+* fetchmailconf redirects fetchmail's input from /dev/null so it doesn't
+ wait for the user to enter a password when the user doesn't even see
+ the prompt. Reported by Michal Marek. Matthias Andree.
+* Write RFC-compliant BSMTP envelopes. Reported by Nico Golde. Matthias Andree.
+* Fix --with-gssapi compilation problem. Simon Josefsson. (MA)
+* Foster protocol-independence to support IPv6 better, for instance, providing
+ IPv6 addresses in Received: headers. Matthias Andree.
+* The --enable-inet6 configure option was removed. The code is mostly protocol
+ agnostic, a fully IPv6 aware OS is expected to provide getaddrinfo(),
+ getnameinfo() and the macro AF_INET6. Matthias Andree.
+* Received: headers now enclose the for <...> destination address in angle
+ brackets for consistency with Postfix. Matthias Andree.
+* Operating systems that do not support at least one of gethostbyname,
+ gethostbyname_r, getipnodebyname are no longer supported. Matthias Andree.
+* Fixes to --with-hesiod option. Sunil Shetye. (MA)
+* Delete oversized messages with the news --limitflush option. Debian
+ Bug#212240. Sunil Shetye. (MA)
+* Fix MacOS X compilation failures in sink.c (ru_*time has incomplete type).
+ Berlios Bug #4725. Matthias Andree.
+* Fix "auth ntlm" to send AUTH NTLM (rather than AUTH MSN). Add "auth msn"
+ officially. Reported by Yves Boisjoly. Matthias Andree
+* Expunge between IMAP folders when polling multiple folders.
+ Sunil Shetye. (MA)
+* Fix IMAP expunged message counting. Sunil Shetye. (MA)
+* Add full support for --service option. Matthias Andree
+
+# INTERNAL CHANGES
+* Switched to automake. Matthias Andree.
+* Got rid of alloca() in fetchmail proper. Matthias Andree
+* Got rid of ipv6-connect, inner_connect and thereabouts. Matthias Andree
fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
* Updated Spanish, Turkish, and German translation files.
* Matthew Gregan's patch to handle garbage lengths from dbmail;
- closes Debian bug #207919.
+ closes Debian bug #212484.
* Fix IMAP query so new-message count doesn't include deleted messages.
* Man page typo fix, closes Debian bug #205892.
* OpenSSL cleanup patches from levinedl@acm.org.
* Updated de and po translations.
There are 520 people on fetchmail-friends and 683 on fetchmail-announce.
+
+ vim:tw=79 com=bf\:* ts=8 sts=8 sw=8 ai: