* The --bsmtp - mode of operation may be removed in a future release.
* Given that OpenSSL is severely underdocumented, and needs license exceptions,
fetchmail may switch to a different SSL library.
-* SSLv2 support will be removed from a future fetchmail release. It has been
- obsolete for more than a decade.
+* SSLv3 support may be removed from a future fetchmail release. It has been
+ obsolete for many years and found insecure. Use TLS.
--------------------------------------------------------------------------------
-fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
+fetchmail-6.4.0 (not yet released):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.
-# CRITICAL BUG FIX for setups using "mimedecode":
-* The mimedecode feature failed to ship the last line of the body if it was
- encoded as quoted-printable and had a MIME soft line break in the very last
- line. Reported by Lars Hecking in June 2011.
-
- Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
- before release 4.4.1 through code contributed by Henrik Storner.
- Workaround for older releases: do not use mimedecode feature.
-
- Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
- but it was not.
-
- Fixes Launchpad Bug#1171818.
+## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION
+* Fetchmail no longer supports SSLv2.
+* Fetchmail no longer attempts to negotiate SSLv3 by default,
+ even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
+ TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the
+ OpenSSL version used at build and run-time supports these versions, --sslproto
+ ssl3 can be used to enable this specific version. Doing so is discouraged
+ because these protocols are broken.
+
+ Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843.
+
+ While this change is supposed to be compatible with common configurations,
+ users are advised to change all explicit --sslproto ssl2, --sslproto
+ ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and
+ TLSv1.2 on systems with OpenSSL 1.0.1 or newer.
+
+ The --sslproto option now understands the values auto, tls1+, tls1.1+,
+ tls1.2+ (case insensitively).
+
+## CHANGES
+* fetchmail 6.3.X is unsupported.
+* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23).
+* --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a
+ minimum specified TLS protocol version.
+* Fetchmail now detects if the server hangs up prematurely during SSL_connect()
+ and reports this condition as such, and not just as SSL connection failure.
+ (OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert).
+
+## FIXES
+* Fix a typo in the FAQ. Submitted by David Lawyer, Debian Bug#706776.
+* Do not translate header tags such as "Subject:". Reported by Gonzalo Pérez de
+ Olaguer Córdoba, Debian Bug#744907.
+* Convert most links from berlios.de to sourceforge.net.
+* Report error to stderr, and exit, if --idle is combined with multiple
+ accounts.
+* Point to --idle from GENERAL OPERATION to clarify --idle and multiple
+ mailboxes do not mix. In response to Jeremy Chadwick's trouble 2014-11-19,
+ fetchmail-users mailing list.
+* Fix SSL-enabled build on systems that do not declare SSLv3_client_method(),
+ or that #define OPENSSL_NO_SSL3 inside #include <openssl/ssl.h>
+ Related to Debian Bug#775255.
+* Version report lists -SSLv3 on SSL-enabled no-ssl3 builds.
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
server to test against. Use GSSAPI.
+fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
+
+ CRITICAL BUG FIX for setups using "mimedecode":
+* The mimedecode feature failed to ship the last line of the body if it was
+ encoded as quoted-printable and had a MIME soft line break in the very last
+ line. Reported by Lars Hecking in June 2011.
+
+ Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
+ before release 4.4.1 through code contributed by Henrik Storner.
+ Workaround for older releases: do not use mimedecode feature.
+
+ Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
+ but it was not.
+
+ Fixes Launchpad Bug#1171818.
+
+
fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):
# BUG FIXES