Abbreviations in parentheses are the maintainers who committed the respective
change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
-# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS
+# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
+(There are no plans to remove these features from a 6.3.X release, but they may
+be removed from a 6.4.0 or newer release.)
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
- are obsolete, deprecated and may be removed from a future fetchmail version.
- They have never supported IPv6 (including IPv6-mapped IPv4) anyhow.
+ are based on assumptions that are rarely met in practice, somewhat defective,
+ deprecated and may be removed from a future fetchmail version. They have
+ never supported IPv6 (including IPv6-mapped IPv4).
Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
- version as they are not sufficiently portable.
-* POP2 is obsolete.
- Support for POP2 may be removed from a future fetchmail version.
-* RPOP is obsolete, support may be removed from a future fetchmail release.
-* --sslcertck may become a default setting in a future fetchmail version.
+ version as they are not reasonably portable.
+* POP2 is obsolete, support will be removed from a future fetchmail version.
+* RPOP is obsolete, support will be removed from a future fetchmail release.
+* --sslcertck will become a default setting in a future fetchmail version.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
the Received header was never meant to be machine-readable, the format varies
widely, and various other differences in behavior make parsing Received an
- unreliable undertaking. The enveloper option as such will remain though, in
+ unreliable undertaking. The envelope option as such will remain though, in
order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
See also <http://home.pages.de/~mandree/mail/multidrop>.
-* The --enable-fallback (fall back to MDA if MTA unavailable) may be removed
- from a future fetchmail release.
+* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed
+ from a future fetchmail release, because it makes fetchmail's behavior
+ inconsistent and confusing.
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
-* SIGHUP wakeup may be removed from a future fetchmail release and cause it
- to terminate.
+* SIGHUP wakeup support may be removed from a future fetchmail release and
+ cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
removed or operation on such systems may be suboptimal for future releases.
--------------------------------------------------------------------------------
-fetchmail 6.3.6 (not yet released):
+fetchmail 6.3.8 (not yet released):
+
+# SECURITY STRENGTHENING:
+* Make the APOP challenge parser more distrustful and have it reject challenges
+ that do not conform to RFC-822 msg-id format, in the hope to make mounting
+ man-in-the-middle attacks (MITM) against APOP a bit more difficult.
+ (CVE-2007-1558)
+
+ APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
+ setups: based on MD5 collisions, it is purportedly possible to recover the
+ first three characters of the shared secret (password), which would then make
+ recovery of the shared secret a matter of hours or minutes; this would then
+ enable the attacker to impersonate the client vis-à-vis the server.
+
+ For further details, check
+ * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application
+ to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in
+ Springer's Lecture Notes on Computer Science.)
+ * The mailing list discussion thread at
+ <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html>
+
+# BUG FIXES:
+* Fix pluralization of oversized-message warning mails.
+* Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
+ "recommended:" in bold. Fixes Debian Bug #413059, reported by Rafal Czlonka.
+* Repoll immediately if a protocol error happens during the authentication
+ attempt after a failed opportunistic TLS upgrade.
+ Fixes comment #9 in Gentoo Bug #163782, reported by Takuto Matsuu.
+* Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes section.
+ Reported by Nico Golde.
+* If SOCKS support was compiled in, add 'socks' to the feature_options Python
+ list emitted in --configdump. Reported by Rob MacGregor.
+* Do not crash with a null pointer dereference when opening the BSMTP file
+ fails. Improve error checking and reporting. Reported by Reto Schüttel,
+ Debian Bug#416625. Fix based on a patch by Nico Golde.
+* Make BSMTP output actually work, it would persistently fail with SOCKET error
+ after writing the first header.
+
+# DOCUMENTATION:
+* Extend --mda documentation, discourage use of qmail-inject.
+ Based on a patch by Rob MacGregor.
+* Document SOCKS configuration facility (SOCKS_CONF environment variable).
+ Thanks to Jochen Hayek, Michael Shuldman and Rob MacGregor.
+* Use envelope option in multidrop example. Patch by Rob MacGregor.
+* Document expected Received: line format when parsing for envelope addressees.
+* Stripped option documentation from sample.rcfile, since this is bound to go
+ out of synch with the manual page, which is the only reference on options.
+
+# CONTRIB:
+* Add delete-later and delete-later.README, a script and documentation for
+ a MySQL/Tcl-based client-side "delete-after" feature.
+ Kindly donated by Yoo GmbH, Großvoigtsberg, Germany (Carsten Ralle).
# KNOWN BUGS AND WORKAROUNDS:
- (this section floats upwards through the NEWS to be on top of the list)
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information)
* fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
-* Sun Workshop 6 (SPARC) is known to miscompile the lexer in 64-bit mode.
- Either compile 32-bit code or use GCC to compile 64-bit fetchmail.
- Note that fetchmail doesn't take advantage of 64-bit code anyways,
- so compiling 32-bit SPARC code should be fine.
-* fetchmail expects Received: headers in a particular format when parsing
- envelopes.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail does not track pending deletes over crashes
* the command line interface is a bit narrow-minded sometimes, for instance,
fetchmail -s doesn't work with a running daemon
* some of the logging output is not very helpful
* some of the documentation is still not up to date
-# BUG FIXES:
+
+
+fetchmail 6.3.7 (released 2007-02-18):
+
+# FIXES FOR REGRESSIONS IN 6.3.6
+* Fix KPOP. Patch by Miloslav Trmac.
+* Fix repoll when server disconnects after opportunistic TLS failed for POP3.
+ Berlios Bug #10133 = Gentoo Bug #163782 reported by Andrej Kacian.
+
+# TRANSLATION UPDATES
+* Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz)
+
+# CHANGES
+* Consider getaddrinfo() on Darwin 9 (Mac OS X 10.5 "Leopard") thread-safe.
+ Reported by Uli Zappe.
+
+
+fetchmail 6.3.6 (released 2007-01-04):
+
+# SECURITY FIXES:
+* CVE-2006-5867, fetchmail-SA-2006-02.txt:
+ Password disclosure vulnerability fixed. This has several aspects:
+
+ - Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
+ options are used and the ssl option is not used, in order to be sure that
+ fetchmail gets a certificate from the mail server.
+
+ - Fetchmail breaks the connection if the TLS negotiation (or verification, if
+ requested) fails with sslproto 'tls1', sslfingerprint or sslcheck enabled.
+
+ - POP3 connections now use STLS reliably. They used to ignore STLS altogether
+ for serveral values of the "auth" option, when fetchmail forget to probe
+ server capabilities - see fetchmail-SA-2006-02.txt for details.
+
+ - POP3 connections will no longer fall back USER/PASS authentication if
+ strong challenge-response authenticators such as CRAM-MD5 are configured
+ but the server does not advertise these in its CAPA response.
+
+ - POP2 is obsolete and does not support STLS or anything beyond password-based
+ authentication. The attempt to use STLS or strong authenticators now causes
+ connection abort.
+
+ Configurations using both ssl and sslcertck however have been semi-safe in
+ that they would send the password in the clear. The USER/PASS fallback
+ problem however applies to these too, so that the password was only safe on
+ trustworthy servers.
+
+* CVE-2006-5974, fetchmail-SA-2006-03.txt:
+ Repairs a regression in 6.3.5 that crashes fetchmail when a message with
+ invalid headers is found while fetchmail's mda option is in use. BerliOS bugs
+ #9364, #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+
+# REGRESSION FIXES (recently introduced bugs)
* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
reported by Brian Harring.
+* Repair --user, broken in 6.3.5 (as a side effect of the authenticate external
+ patch): using SSL certificate/key authentication overrode the --user option.
+ Now the latter takes precedence, and only defaults to the certificate's common
+ name. Debian Bug #400950, reported by Jorgen Schaefer <forcer@debian.org>.
+
+# BUG FIXES (long-standing bugs):
+* RPOP: used to log the password locally rather than an asterisk as the other
+ protocols do. The password is now shrouded in the local logs.
+* POP3: Probes capabilities now when Kerberos V5 is enabled, so that we can
+ actually detect if the server supports it.
+* Robustness: If a stale lockfile cannot be deleted, truncate it so that
+ fetchmail doesn't later believe itself to be running if the PID is recycled
+ by a non-fetchmail process.
+* DNS: Detect /etc/resolv.conf changes: On systems that have res_search(),
+ assume we also have res_init() and call it (suggested by Ulrich Drepper,
+ glibc bug #3675) in order to make libc or libresolv reread the resolver
+ configuration at the beginning of a poll cycle. This is important when
+ fetchmail is in daemon mode and /etc/resolv.conf is changed later by dhcpcd,
+ dhclient, pppd, openvpn or other ip-up/ipchange scripts. Should fix Debian
+ Bug#389270, Bug#391698.
+* Robustness: Fix crash on systems that do not provide strdup(), the crash
+ happens only in out-of-memory conditions when fetchmail cannot proceed
+ anyways. Patch by Andreas Krennmair.
+* Robustness: When HOME and FETCHMAILHOME are unset, be sure to copy user
+ database information, so it is not trashed later. Patch by Jim Correia.
+
+# CHANGES:
+* Workaround: Improve handling of IMAP IDLE, some servers do not reset their
+ time counters after sending information asynchronously. Patch by Sunil
+ Shetye, after report from Andrew Baumann.
+* Usability: When requesting Kerberos or GSSAPI, complain and exit with syntax
+ error if any of these requested features has not been compiled in. This is
+ to fail early and with precise error message. Reported by Isaac Wilcox.
+* --version will now add +KRB4 or +KRB5 if Kerberos v4 or v5, respectively, have
+ been compiled in. Reported missing by Isaac Wilcox.
+
+# TRANSLATIONS:
+* New en_GB (British English) translation by David Lodge.
+* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
+ Maryanov) and Vietnamese (Clytie Siddall) translations.
+! Note that not all these translations are complete -- this isn't the
+ translators' fault though, but due to delays at the BerliOS hosting site and
+ the translation project handlers. You may see a few untranslated messages.
+
+# DOCUMENTATION:
+* Dropped exit status 15 from manual page, it's not used by fetchmail.
+ Reported by Isaac Wilcox.
+* Documented exit codes 24 - 29 as internal.
fetchmail 6.3.5 (released 2006-10-09):
* switch setjmp/longjmp to sigsetjmp/siglongjmp
* IMAP now supports the EXTERNAL authentication method, courtesy of
Götz 'nimrill' Babin-Ebell, BerliOS patch #1095 with minor changes.
+ Note that this change causes --sslcert to override --user.
* The sslproto keywords are now case insensitive, courtesy of
Götz 'nimrill' Babin-Ebell, BerliOS patch #1095.
* When going to sleep, log for how long. Suggested by Claudia Ludwig.