fetchmail 6.3.8 (not yet released):
+# SECURITY STRENGTHENING:
+* Make the APOP challenge parser more distrustful and have it reject challenges
+ that do not conform to RFC-822 msg-id format, in the hope to make mounting
+ man-in-the-middle attacks (MITM) against APOP a bit more difficult.
+ (CVE-2007-1558)
+
+ APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
+ setups: based on MD5 collisions, it is purportedly possible to recover the
+ first three characters of the shared secret (password), which would then make
+ recovery of the shared secret a matter of hours or minutes; this would then
+ enable the attacker to impersonate the client vis-à-vis the server.
+
+ For further details, check
+ * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application
+ to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in
+ Springer's Lecture Notes on Computer Science.)
+ * The mailing list discussion thread at
+ <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html>
+
# BUG FIXES:
* Fix pluralization of oversized-message warning mails.
* Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
Fixes comment #9 in Gentoo Bug #163782, reported by Takuto Matsuu.
* Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes section.
Reported by Nico Golde.
+* If SOCKS support was compiled in, add 'socks' to the feature_options Python
+ list emitted in --configdump. Reported by Rob MacGregor.
+* Do not crash with a null pointer dereference when opening the BSMTP file
+ fails. Improve error checking and reporting. Reported by Reto Schüttel,
+ Debian Bug#416625. Fix based on a patch by Nico Golde.
+* Make BSMTP output actually work, it would persistently fail with SOCKET error
+ after writing the first header.
# DOCUMENTATION:
* Extend --mda documentation, discourage use of qmail-inject.
Based on a patch by Rob MacGregor.
-* Document SOCKS is not run-time configurable. Patch by Rob MacGregor.
+* Document SOCKS configuration facility (SOCKS_CONF environment variable).
+ Thanks to Jochen Hayek, Michael Shuldman and Rob MacGregor.
* Use envelope option in multidrop example. Patch by Rob MacGregor.
+* Document expected Received: line format when parsing for envelope addressees.
+* Stripped option documentation from sample.rcfile, since this is bound to go
+ out of synch with the manual page, which is the only reference on options.
# CONTRIB:
* Add delete-later and delete-later.README, a script and documentation for
64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail expects Received: headers in a particular, but undocumented, format
- when parsing envelopes.
* fetchmail does not track pending deletes over crashes
* the command line interface is a bit narrow-minded sometimes, for instance,
fetchmail -s doesn't work with a running daemon
projects / ~andy / fetchmail / blobdiff