* The --bsmtp - mode of operation may be removed in a future release.
* Given that OpenSSL is severely underdocumented, and needs license exceptions,
fetchmail may switch to a different SSL library.
-* SSLv2 support will be removed from a future fetchmail release. It has been
- obsolete for more than a decade.
+* SSLv3 support may be removed from a future fetchmail release. It has been
+ obsolete for many years and found insecure. Use TLS.
--------------------------------------------------------------------------------
-fetchmail-6.3.23 (released 2012-12-10, 26106 LoC):
+fetchmail-6.4.0 (not yet released):
+
+# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
+* They have stopped accepting submissions and consider themselves an archive.
+
+## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION
+* Fetchmail no longer supports SSLv2.
+* Fetchmail no longer attempts to negotiate SSLv3 by default,
+ even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
+ TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the
+ OpenSSL version used at build and run-time supports these versions, --sslproto
+ ssl3 can be used to enable this specific version. Doing so is discouraged
+ because these protocols are broken.
+
+ Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843.
+
+ While this change is supposed to be compatible with common configurations,
+ users are advised to change all explicit --sslproto ssl2, --sslproto
+ ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and
+ TLSv1.2 on systems with OpenSSL 1.0.1 or newer.
+
+ The --sslproto option now understands the values auto, tls1+, tls1.1+,
+ tls1.2+ (case insensitively).
+
+## CHANGES
+* fetchmail 6.3.X is unsupported.
+* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23).
+* --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a
+ minimum specified TLS protocol version.
+* Fetchmail now detects if the server hangs up prematurely during SSL_connect()
+ and reports this condition as such, and not just as SSL connection failure.
+ (OpenSSL 1.0.2 reported incompatible with pop3.live.com by Jerry Seibert).
+
+## FIXES
+* Fix a typo in the FAQ. Submitted by David Lawyer, Debian Bug#706776.
+* Do not translate header tags such as "Subject:". Reported by Gonzalo Pérez de
+ Olaguer Córdoba, Debian Bug#744907.
+* Convert most links from berlios.de to sourceforge.net.
+* Report error to stderr, and exit, if --idle is combined with multiple
+ accounts.
+* Point to --idle from GENERAL OPERATION to clarify --idle and multiple
+ mailboxes do not mix. In response to Jeremy Chadwick's trouble 2014-11-19,
+ fetchmail-users mailing list.
+* Fix SSL-enabled build on systems that do not declare SSLv3_client_method(),
+ or that #define OPENSSL_NO_SSL3 inside #include <openssl/ssl.h>
+ Related to Debian Bug#775255.
+* Version report lists -SSLv3 on SSL-enabled no-ssl3 builds.
+
+# KNOWN BUGS AND WORKAROUNDS
+ (This section floats upwards through the NEWS file so it stays with the
+ current release information)
+* Fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* Fetchmail does not track pending deletes across crashes.
+* The command line interface is sometimes a bit stubborn, for instance,
+ fetchmail -s doesn't work with a daemon running.
+* Linux systems may return duplicates of an IP address in some circumstances if
+ no or no global IPv6 addresses are configured.
+ (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
+* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
+ messages. This will not be fixed, because the maintainer has no Kerberos 5
+ server to test against. Use GSSAPI.
+
+
+fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
+
+ CRITICAL BUG FIX for setups using "mimedecode":
+* The mimedecode feature failed to ship the last line of the body if it was
+ encoded as quoted-printable and had a MIME soft line break in the very last
+ line. Reported by Lars Hecking in June 2011.
+
+ Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
+ before release 4.4.1 through code contributed by Henrik Storner.
+ Workaround for older releases: do not use mimedecode feature.
+
+ Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
+ but it was not.
+
+ Fixes Launchpad Bug#1171818.
+
+
+fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):
+
+# BUG FIXES
+* Fix a memory leak in out-of-memory error condition while handling plugins.
+ Report and patch by John Beck (found with Parfait static code analyzer).
+* Fix a NULL pointer dereference in out-of-memory error condition while handling
+ plugins.
+ Report and patch by John Beck (found with Parfait static code analyzer).
+
+# CHANGES
+* Improved reporting when SSL/TLS X.509 certificate validation has failed,
+ working around a not-so-recent swapping of two OpenSSL error codes, and
+ a practical impossibility to distinguish broken certification chains from
+ missing trust anchors (root certificates).
+* OpenSSL decoded errors are now reported through report(), rather than dumped
+ to stderr, so that they should show up in logfiles and/or syslog.
+* The fetchmail manual page no longer claims that MD5 were the default OpenSSL
+ hash format (for use with --sslfingerprint). Reported by Jakob Wilk,
+ PARTIAL fix for Debian Bug#700266.
+* The fetchmail manual page now refers the user to --softbounce from the
+ SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht.
+
+# WORKAROUNDS
+* Older systems that provide the older RFC-2553 implementation of getaddrinfo,
+ rather than the current RFC-3493, and systems that do not provide this
+ getaddrinfo() interface at all and thus use the replacement functions from
+ libesmtp/getaddrinfo.?, might return EAI_NODATA when a host is registered in
+ DNS as MX or similar, but without A or AAAA records. Handle this situation
+ when checking for multidrop aliases and treat EAI_NODATA the same as
+ EAI_NONAME, i. e. name cannot be resolved.
-# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR.
-Should a 7.0 release be made earlier, chances are that the 6.3.X branch
-is abandoned and its changes be folded into the 7.0 release, with changes
-after 6.3.22 not available on their own in a newer 6.3.X release.
+ The proper fix, however, is to upgrade the operating system.
+
+# TRANSLATION UPDATES
+[cs] Czech, by Petr Pisar
+[da] Danish, by Joe Hansen
+[de] German
+[eo] Esperanto, by Sian Mountbatten and Felipe Castro
+[fr] French, by Frédéric Marchal
+[ja] Japanese, by Takeshi Hamasaki
+[pl] Polish, by Jakub Bogusz
+[sv] Swedish, by Göran Uddeborg
+[vi] Vietnamese, by Trần Ngọc Quân
+
+
+fetchmail-6.3.24 (released 2012-12-23, 26108 LoC):
+
+# CRITICAL AND REGRESSION FIXES
+* Plug a memory leak in OpenSSL's certificate verification callback.
+ This would affect fetchmail configurations running with SSL in daemon mode
+ more than one-shot runs.
+ Reported by Erik Thiele, and pinned by Dominik Heeg,
+ fixes Debian Bug #688015.
+ This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29)
+ when support for subjectAltName was added through a patch by Roland
+ Stigge, submitted as Debian Bug#201113.
+
+* The --logfile option now works again outside daemon mode, reported by Heinz
+ Diehl. The documentation that I had been reading was inconsistent with the
+ code, and only parts of the manual page claimed that --logfile was only
+ effective in daemon mode.
+
+
+fetchmail-6.3.23 (released 2012-12-10, 26106 LoC):
# REGRESSION FIXES
* Fix compilation with OpenSSL implementations before 0.9.8m that lack
[sv] Swedish, by Göran Uddeborg
[vi] Vietnamese, Trần Ngọc Quân
-# KNOWN BUGS AND WORKAROUNDS
- (This section floats upwards through the NEWS file so it stays with the
- current release information)
-* Fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
- 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
- fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
- so compiling 32-bit SPARC code should not cause any difficulties.
-* Fetchmail does not track pending deletes across crashes.
-* The command line interface is sometimes a bit stubborn, for instance,
- fetchmail -s doesn't work with a daemon running.
-* Linux systems may return duplicates of an IP address in some circumstances if
- no or no global IPv6 addresses are configured.
- (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
-* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
- messages. This will not be fixed, because the maintainer has no Kerberos 5
- server to test against. Use GSSAPI.
-
fetchmail-6.3.22 (released 2012-08-29, 26077 LoC):
projects / ~andy / fetchmail / blobdiff