* The monitor and interface options may be removed from a future fetchmail
version as they are not reasonably portable across operating systems.
* POP2 is obsolete, support will be removed from a future fetchmail version.
+* IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a
+ future fetchmail version.
* RPOP is obsolete, support will be removed from a future fetchmail release.
* --sslcertck will become a default setting in a future fetchmail version.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
+* Kerberos 5 support may be removed from a future fetchmail release.
+* The --principal option may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
* The maintainer may migrate fetchmail to C++ with STL or C#, and impose further
requirements (dependencies), such as Boost or other class libraries.
* The softbounce option default will change to "false" in the next release.
+* The --bsmtp - mode of operation may be removed in a future release.
+* Given that OpenSSL is severely underdocumented, and needs license exceptions,
+ fetchmail may switch to a different SSL library.
+* SSLv2 support will be removed from a future fetchmail release. It has been
+ obsolete for more than a decade.
--------------------------------------------------------------------------------
-fetchmail 6.3.10 (not yet released):
+fetchmail-6.3.23 (not yet released)
+
+# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR.
+Should a 7.0 release be made earlier, chances are that the 6.3.X branch
+is abandoned and its changes be folded into the 7.0 release, with changes
+after 6.3.22 not available on their own in a newer 6.3.X release.
+
+# REGRESSION FIXES
+* Fix compilation with OpenSSL implementations before 0.9.8m that lack
+ SSL_CTX_clear_options. Patch by Earl Chew.
+ Note that the use of older OpenSSL versions with fetchmail is unsupported and
+ *not* recommended.
+
+# BUG FIXES
+* Fix combination of --plugin and -f -. Patch by Alexander Zangerl,
+ to fix Debian Bug#671294.
+* Clean up logfile vs. syslog handling, and in case logfile overrides
+ syslog, send a message to the latter stating where logging goes.
+
+# WORKAROUNDS
+* Make Maillennium POP3 workarounds less specific, to encompass
+ Maillennium POP3/UNIBOX (Maillennium V05.00c++). Reported by Eddie
+ via fetchmail-users mailing list, 2012-10-13.
+
+
+fetchmail-6.3.22 (released 2012-08-29, 26077 LoC):
+
+# SECURITY FIXES
+* for CVE-2012-3482:
+ NTLM: fetchmail mistook an error message that the server sent in response to
+ an NTLM request for protocol exchange, tried to decode it, and crashed while
+ reading from a bad memory location.
+ Also, with a carefully crafted NTLM challenge packet sent from the server, it
+ would be possible that fetchmail conveyed confidential data not meant for the
+ server through the NTLM response packet.
+ Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
+ NTLM authentication in case of error.
+ See fetchmail-SA-2012-02.txt for further details.
+ Reported by J. Porter Clark.
+
+* for CVE-2011-3389:
+ SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
+ against a certain kind of attack against cipher block chaining initialization
+ vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
+ Whether this creates an exploitable situation, depends on the server and the
+ negotiated ciphers.
+ As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
+
+ NOTE that this can cause connections to certain non-conforming servers to
+ fail, in which case you can set the environment variable
+ FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting
+ fetchmail to re-instate the compatibility option at the expense of security.
+
+ Reported by Apple Product Security.
+
+ For technical details, refer to <http://www.openssl.org/~bodo/tls-cbc.txt>.
+ See fetchmail-SA-2012-01.txt for further details.
+
+# BUG FIX
+* The Server certificate: message in verbose mode now appears on stdout like the
+ remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
+
+* The GSSAPI-related autoconf code now matches gssapi.c better, and uses
+ a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
+ This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
+
+# CHANGES
+* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
+ newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
+ reference it (to fix the build) and if configured, print a run-time error
+ that the OS does not support SSLv2. Fixes Debian Bug #622054,
+ but note that that bug report has a more thorough patch that does away with
+ SSLv2 altogether.
+
+* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
+ under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
+ was dropped). The Creative Commons address was updated.
+
+* The Python-related Makefile.am parts were simplified to avoid an automake
+ 1.11.X bug around noinst_PYTHON, Automake Bug #10995.
+
+* Configuring fetchmail without SSL now triggers a configure warning,
+ and asks the user to consider running configure --with-ssl.
+
+# WORKAROUND
+* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
+ a header request, in the face of message corruption. fetchmail now treats
+ these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
+
+* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed."
+ without any header in response to a header request for meeting reminder
+ messages (with a "meeting.ics" attachment). fetchmail now treats these as
+ transient errors. Report by John Connett, Patch by Sunil Shetye.
+
+# TRANSLATION UPDATES
+* [cs] Czech, by Petr Pisar
+* [de] German
+* [fr] French, by Frédéric Marchal
+* [ja] Japanese, by Takeshi Hamasaki
+* [pl] Polish, by Jakub Bogusz
+* [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you!
+* [vi] Vietnamese, by Trần Ngọc Quân
+
+# KNOWN BUGS AND WORKAROUNDS
+ (This section floats upwards through the NEWS file so it stays with the
+ current release information)
+* Fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* Fetchmail does not track pending deletes across crashes.
+* The command line interface is sometimes a bit stubborn, for instance,
+ fetchmail -s doesn't work with a daemon running.
+* Linux systems may return duplicates of an IP address in some circumstances if
+ no or no global IPv6 addresses are configured.
+ (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
+* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
+ messages. This will not be fixed, because the maintainer has no Kerberos 5
+ server to test against. Use GSSAPI.
+
+
+fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):
+
+# CRITICAL BUG FIX
+* The IMAP client no longer inserts NUL bytes into the last line of a message
+ when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt.
+ As a side effect of the fix, and in order to avoid a full rewrite, fetchmail
+ will now CRLF-terminate the last line fetched through IMAP, even if it is
+ originally not terminated by LF or CRLF. This bears no relevance if your
+ messages end up in mbox, but adds line termination for storages (like Maildir)
+ that do not require that the last line be LF- or CRLF-terminated.
+
+# CONTRIB/ addition
+* There is a patch against fetchnews's source, contrib/rawlog.patch, that can
+ log (and hexdump non-printing characters) raw socket data to a file. It proved
+ useful to debug Antoine's bug described above.
+
+
+fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
+
+# SECURITY BUG FIXES
+* CVE-2011-1947:
+ STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
+ set timeout (default five minutes) now. This was reported missing, with
+ observed fetchmail freezes beyond a week, by Thomas Jarosch.
+ SSL-wrapped connections were unaffected by this timeout, so users of older
+ versions can force ssl-wrapped connections -- if supported by the server --
+ with the --ssl command line or ssl rcfile option.
+ See fetchmail-SA-2011-01.txt for further details.
+
+# BUG FIXES
+* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
+ new messages and most of the range searches result in nothing. Instead, split
+ the long response to make the IMAP driver think that there are multiple lines
+ of response. (Sunil Shetye)
+* Do not print "skipping message" for old messages even in verbose mode. If
+ there are too many old messages, the logs just get filled without any real
+ activity. (Sunil Shetye) (suggested by Yunfan Jiang)
+* Build: fetchmail now always uses its own MD5 implementation rather than trying
+ to find a system library with matched header. The library and header variants
+ found on systems are too diverse, and the code size saving is not worth any
+ more wasted user or programmer time.
+
+# CHANGES
+* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
+* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
+ there is no portable way to configure actual timeouts for this mode, and some
+ systems only support a system-wide timeout setting. fetchmail does not
+ attempt to tune the time spans of keepalive mode.
+
+# TRANSLATION UPDATES
+ [cs] Chech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German (Matthias Andree)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+
+fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
+
+# ERRATUM NOTICE ISSUED
+* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
+ grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.
+
+# BUG FIXES
+* When specifying multiple local multidrop lists, do not lose wildcard flag.
+ (Affects "user foo is bar baz * is joe here")
+* In multidrop configurations, an asterisk can now appear anywhere in the list
+ of local users, not just at the end.
+* In multidrop mode, header parsing is now more verbose in -vv mode, so that it
+ becomes possible to see which header is used.
+* Make --antispam work from command line (these used to work in rcfiles).
+ Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
+* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
+ documents. Skip validating Mailbox-Names-UTF7.html. Several systems have
+ broken XHTML 1.1 DTD installations that jeopardize the build.
+ Reported by Mihail Nechkin against FreeBSD port.
+ Workaround for 6.3.18: build in a separate directory, i. e:
+ mkdir build && cd build && ../configure --options-go-here
+* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
+* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
+ and Derek Simkowiak via the fetchmail-users@ mailing list.
+* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
+ server capabilities do not show support for upgradation to TLS.
+ To use this, configure --sslproto tls1. (Sunil Shetye)
+* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
+ Yasin Malli to fetchmail-users@ 2010-12-10.
+ Note that fetchmail continues to expect literals as FETCH response for now.
+
+# DOCUMENTATION
+* The manual page now links to IANA for GSSAPI service names.
+
+# TRANSLATION UPDATES
+ [cs] Czech (Petr Pisar)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [pl] Polish (Jakub Bogusz)
+
+
+fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
+
+# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
+* Fetchmail now only accepts wildcard certificate common names and subject
+ alternative names if they start with "*.". Previous versions would accept
+ wildcards even if no period followed immediately.
+* Fetchmail now disallows wildcards in certificates to match domain literals
+ (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
+ The test is overly picky and triggers if the pattern (after skipping the
+ initial wildcard "*") or domain consists solely of digits and dots, and thus
+ matches more than needed.
+* Fetchmail now disallows wildcarding top-level domains.
+
+# CRITICAL BUG FIXES AND REGRESSION FIXES
+* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
+ functions, as an effect of an undocumented Solaris MD5 fix.
+ This caused all MD5-related functions to malfunction if, for instance,
+ libmd5.so was installed on other operating systems as part of libwww on
+ machines where long isn't 32-bits, i. e. usually on 64-bit computers.
+ Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
+ Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
+* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
+ --sslfingerprint was specified. This is an omission from an SSL usability
+ change made in 6.3.17.
+ Fixes Debian Bug#580796 reported by Roland Stigge.
+* Fetchmail will now apply timeouts to the authentication stage.
+ This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
+ Reported missing by Thomas Jarosch.
+* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
+ errors, such as no or unsuitable credentials.
+ It now sends an asterisk on a line by its own, as required in SASL.
+ This fixes protocol synchronization issues that cause Authentication
+ failures, often observed with kerberized MS Exchange servers.
+ Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
+ fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.
+
+# BUG FIXES
+* Fetchmail will no longer print connection attempts and errors for one host
+ in "silent" and "normal" logging modes, unless all connections fail. This
+ should reduce irritation around refused-connection logging if services are
+ only on an IPv4 socket if the host also supports IPv6. Often observed as
+ connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
+ then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
+ all connect errors and only report them if all of them fail.
+* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
+ credentials. However, if GSSAPI authentication is requested explicitly,
+ fetchmail will always try it.
+* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
+ RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
+* The manual page clearly states that --principal is for Kerberos 4 only, not
+ for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
+
+# CHANGES
+* When encountering incorrect headers, fetchmail will refer to the bad-header
+ option in the manpage.
+ Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
+* Fetchmail now decodes and reports GSSAPI status codes upon errors.
+* Fetchmail now autoprobes NTLM also for POP3.
+* The Fetchmail FAQ has a new item #R15 on authentication failures.
+
+# INTERNAL CHANGES
+* The common NTLM authentication code was factored out from pop3.c and imap.c.
+
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+
+fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
+
+# SECURITY FIX
+* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
+ external input (mail headers and UID). When a multi-character locale (such as
+ UTF-8) was in use, this could cause memory exhaustion and thus a denial of
+ service, because fetchmail's report.c functions assumed that non-success of
+ [v]snprintf was due to insufficient buffer size allocation. It would then
+ repeatedly reallocate a larger buffer and fail formatting again.
+ See fetchmail-SA-2010-02.txt.
+
+# FEATURES
+* Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
+ file (a file that contains trusted CA certificates). Since these bundled CA
+ files do not require c_rehash to be run, they are easier to use and immune to
+ OpenSSL library updates that affect the hash function.
+* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
+ environment variable to force loading the default SSL CA certificate
+ locations even if --sslcertfile or --sslcertpath is used.
+ If neither option is in effect, fetchmail loads the default locations.
+
+# REGRESSION FIX
+* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
+ run control file in certain circumstances. Fixes BerliOS bug #14257.
+ Patch by Michael Banack. This fixes a regression introduced before 6.3.0.
+
+# BUG FIXES
+* Plug memory leak when using a "defaults" entry in the run control file.
+* Do not print SSL certificate mismatches unless verbose or --sslcertck is
+ enabled.
+* Do not lose "set invisible" in fetchmailconf. (Michael Barnack)
+
+# CHANGES
+* Usability: SSL certificate chains are fully printed in -v -v mode, and there
+ are now helpful pointers to --sslcertpath and c_rehash for "unable to get
+ local issuer certificate" and self-signed certificates -- these usually hint
+ to missing root signing CAs in the certs directory.
+* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
+* Memory allocation failures will now cause abnormal program abort (SIGABRT),
+ no longer an exit with unspecified code.
+* Print a warning if certificate verification failed and the user did not
+ specify --sslcertck.
+
+# DOCUMENTATION
+* Fix table of global option to read "set softbounce" where there used to be a
+ 2nd copy of "set spambounce". Patch by Michael Banack, BerliOS Bug #17067.
+* In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X
+ to 1.0.0 upgrade in particular) may require running c_rehash.
+
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [id] Indonesian (Andhika Padmawan)
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+ [vi] Vietnamese (Clytie Siddall)
+
+
+fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):
+
+# BUG FIX
+* Fix --interface option, broken in 6.3.15. Reported by Vladmimir Stavrinov.
+ Fixes Debian Bug #576717.
+
+# CHANGE
+* Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory
+ and non-standard algorithms in certificates.
+ Sjoerd Simons, to fix Debian Bug #576430.
+ OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default.
+ Reported as OpenSSL RT#2224.
+
+
+fetchmail-6.3.15 (released 2010-03-28, 25572 LoC):
+
+# FEATURE
+* Fetchmail now supports a bad-header command line or rcfile option that takes
+ exactly one argument, accept or reject (default). This specifies how messages
+ with bad headers retrieved from the current server are to be treated.
+
+# BUG FIXES
+* In the rcfile, recognize "local" as abbreviation for "localdomains", as
+ documented. The short form has not ever worked since this feature was added in
+ January 1997. Reported by Frédéric Marchal.
+* Do not close stdout when using mda and "bsmtp -" at the same time.
+* Log operating system errors when BSMTP writes fail.
+* Fix verbose mode progress formatting regression from 6.3.10; SMTP trace lines
+ were no longer on a line of their own. Reported by Melchior Franz.
+* Check seteuid() return value and abort running MDA if switch fails.
+* Set global flags in a consistent manner. Make --nosoftbounce and
+ --nobounce work from command line (these used to work in rcfiles).
+ Reported and fix confirmed working by N.J. Mann. (Sunil Shetye)
+* Properly import h_errno declarations, even on systems where h_errno isn't a
+ macro. (Adds ./configure check, fixes Cygwin dllimport warnings.)
+
+# CHANGES
+* The repository has been converted and moved from the Subversion (SVN) format
+ kindly hosted by Graham Wilson over the past years to Git format hosted on
+ Gitorious.org. My deepest thanks to Graham Wilson for this service that
+ kept us going when BerliOS's Subversion service was faulty in its early days.
+* This opportunity was used to convert BRANCH_6-2 and BRANCH_1-9-9 to
+ GnuPG-signed tags, as a sign that these are now closed.
+* The outdated SVN trunk is now called "oldtrunk" in Git just to save the work
+ for future reference. All development in the past few years was on BRANCH_6-3.
+* master was branched from BRANCH_6-3. BRANCH_6-3 is now obsolete (and in fact
+ was also converted to a tag to record where the conversion from SVN to Git
+ took place).
+* "make check" now skips HTML validation if xmllint or XHTML DTD are missing.
+
+# DOCUMENTATION
+* Web site and documentation were adjusted to reflect the SVN->Git move.
+* The fetchmail manual page is now much clearer on the user id switching
+ (seteuid) when using --mda while running as the super user.
+
+# TRANSLATION UPDATES, by language name
+* [zh_CN] Chinese (Simplified), by Ji Zheng-Yu
+* [cs] Czech, by Petr Pisar
+* [nl] Dutch, by Erwin Poeze
+* [fr] French, by Frédéric Marchal
+* [de] German
+* [id] Indonesian, by Andhika Padmawan
+* [it] Italian, by Vincenzo Campanella
+* [ja] Japanese, by Takeshi Hamasaki
+* [pl] Polish, by Jakub Bogusz
+* [vi] Vietnamese, by Clytie Siddall
+
+
+fetchmail 6.3.14 (released 2010-02-05, 25487 LoC):
+
+# SECURITY FIXES
+* CVE-2010-0562: SSL/TLS certificate information is now also reported properly
+ on computers that consider the "char" type signed. Fixes malloc() buffer
+ overrun. Workaround for older versions: do not use verbose mode.
+ See fetchmail-SA-2010-01.txt for details, including a minimal patch.
+
+# BUG FIXES
+* The IMAP client no longer skips messages from several IMAP servers including
+ Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a)
+ ignored some untagged responses when it should not (b) relied on EXISTS
+ messages in response to EXPUNGE, which aren't mandated by RFC-3501 (the IMAP
+ standard) and aren't sent by Dovecot either.
+ Fix by Sunil Shetye (the fix also consolidates IMAP response handling,
+ improving overall robustness of the IMAP client), bug report and testing by
+ Matt Doran, with further hints from Timo Sirainen.
+* The SMTP client now recovers from errors (such as servers dropping the
+ connection after errors) when sending an RSET command.
+ Fix by Sunil Shetye. Report by James Moe.
+* The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH UNSEEN NOT
+ DELETED" again on IMAP2, to fix a regression in fetchmail 6.2.5 reported by
+ Will Stringer in June 2004. (Sunil Shetye)
+* The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 and IMAP4r1
+ servers (Sunil Shetye).
+* Workaround: The IMAP client now falls back to "FETCH n:m FLAGS" if the server
+ does not support "SEARCH". (Sunil Shetye)
+* The IMAP client now requests message numbers in batches of 1,000 to avoid
+ problems if there are more than 1860 unseen messages. (Sunil Shetye)
+ Note that this wasn't security relevant because fetchmail would only read up
+ to the maximum buffer size and leave the remainder of the string unread, going
+ out of synch afterwards.
+* Stricter validation of IMAP responses containing byte or message counts.
+
+# CHANGES
+* Only include gssapi.h if we're not including gssapi/gssapi.h, to fix a FreeBSD
+ compiler warning about gssapi.h being obsolete.
+
+# DOCUMENTATION
+* The README.SSL document was revised for grammar, spelling, and clarity.
+ Courtesy of Robert Mullin.
+
+# TRANSLATION UPDATES
+* [it] Italian, by Vincenzo Campanella
+
+
+
+fetchmail 6.3.13 (released 2009-10-30, 25333 LoC):
+
+# REGRESSION FIXES
+* The multiline SMTP error fix in release 6.3.12 caused fetchmail to lose
+ message codes 400..599 and treat all of these as temporary error. This would
+ cause messages to be left on the server even if softbounce was turned off.
+ Reported by Thomas Jarosch.
+
+# TRANSLATION UPDATES
+* [cs] Czech, by Petr Pisar
+* [zh_CN] Chinese (simplified), by Ji ZhengYu
+* [nl] Dutch, by Erwin Poeze
+* [id] Indonesian, by Andhika Padmawan
+* [ja] Japanese, by Takeshi Hamasaki
+* [pl] Polish, by Jakub Bogusz
+* [es] Spanish (Castilian), by Franciso Molinero
+* [vi] Vietnamese, by Clytie Siddall
+
+
+fetchmail 6.3.12 (released 2009-10-05):
+
+# REGRESSION FIXES
+* The CVE-2009-2666 fix in fetchmail release 6.3.11 caused a free() of
+ unallocated memory on SSL connections, which caused crashes or program aborts
+ on some systems (depending on how initialization and free() of unallocated
+ memory is handled in compiler and libc).
+ Workaround for older versions: run in verbose mode.
+ Patch courtesy of Thomas Heinz, fixes Gentoo Bug #280760.
+ This regression affected only the 6.3.11 release, but not the patch that was
+ part of the security announcement fetchmail-SA-2009-01.
+
+# BUG FIXES
+* Fix error reporting for GSSAPI on Heimdal (h5l) Kerberos.
+* Look for MD5_Init in libcrypto rather than libssl, fixes Gentoo Kerberos
+ builds; fixes upstream parts of Gentoo Bugs #231400 and #185652, and fixes
+ BerliOS Bug #16134.
+* Report multiline SMTP errors properly, reported by Earl Chew; fixes Debian Bug
+ #529899, reported by Akihiro Terasaki.
+ Note: This fix introduced a regression, fixed in 6.3.13.
+* Replace control characters in SMTP replies by '?'.
+* Fetchmailconf: Fix descriptions for smtpaddress and smtpname options;
+ smtpaddress is for RCPT TO, not MAIL FROM. Found by Gerard Seibert.
+
+# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
+* [ca] Catalan (Ernest Adrogué Calveras)
+* [zh_CN] Chinese/Simplified (Ji ZhengYu)
+* [cs] Czech (Petr Pisar)
+* [ja] Japanese (Takeshi Hamasaki)
+* [pl] Polish (Jakub Bogusz)
+* [es] Spanish/Castilian (Francisco Molinero)
+* [vi] Vietnamese (Clytie Siddall)
+
+
+fetchmail 6.3.11 (released 2009-08-06):
+
+# SECURITY BUGFIXES
+* CVE-2009-2666: SSL NUL prefix impersonation attack through NULs in a
+ part of a X.509 certificate's CommonName and subjectAltName fields. These
+ fields use opaque strings with a separate length field, so that the NUL
+ character isn't a special character inside the certificate. Fetchmail, being
+ written in the C language, used to treat these strings as C strings
+ nonetheless, so that the domain comparison would end at the first embedded NUL
+ character, rather than at the real end of the string.
+ Fetchmail will now abort certificate verification as failed if NULs are
+ encountered inside either of these fields regardless of their position, and
+ drop the connection even if --sslcertck is not used, because NUL is not a
+ valid character in legitimate DNS names.
+ See fetchmail-SA-2009-01.txt for details, including a minimal patch.
+
+# BUGFIXES
+* Remove the spurious message "message delimiter found while scanning headers".
+ RFC-5322 syntax states that the delimiter is part of the body, and the body is
+ optional.
+* Convert all non-printable characters in certificate Subject/Issuer
+ Common Name or Subject Alternative Name fields to ANSI-C hex escapes (\xnn,
+ where nn are hex digits).
+ Note that this change introduces a regression, fixed in 6.3.12.
+ See the 6.3.12 documentation above for details and a workaround.
+
+# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
+* [zh_CN] Chinese/Simplified (Ji ZhengYu)
+* [es] Spanish/Castilian (Francisco Molinero)
+
+
+fetchmail 6.3.10 (released 2009-07-02):
# INCOMPATIBLE BUGFIXES AND CHANGES
* Fetchmail no longer drops permanently undelivered messages by default, to
* Make the comparison of the SSL fingerprints case insensitive, to
ease its use. Suggested by Daniel Richard G.
* Proper precedence ordering for the syslog and logfile options. If the logfile
- option is effective (i. e. we're not in daemon mode and nodetach isn't used),
+ option is effective (i. e. we're in daemon mode and nodetach isn't used),
reset the syslog option. If logfile is ineffective (we're not in daemon mode,
or nodetach is set), syslog takes precedence.
* The sleeping at/awakened at messages appear in logfiles and syslog only if
verbose mode is enabled. On the console, they will still appear without
verbose mode. Fixes Debian Bug#282259.
+* fetchmail only requests IPv6 addresses via name service if at least one is
+ configured on the local host, likewise for IPv4. (AI_ADDRCONFIG flag to
+ getaddrinfo()) Extended version of Redhat's patch.
+* If the server name contains "yahoo.com", offers the "ID" capability, and we're
+ polling via IMAP, send an ID ("guid" "1") transaction first, ignoring its
+ result. This appears needed to be able to log into Yahoo's Zimbra servers, but
+ there are open issues (such as being only able to download one message and
+ server certificate mismatches).
# CHANGES TO CONTRIB
* Fix bashism in contrib/fetchsetup. Fixes Debian Bug#530081.
* A document, README.SSL-SERVER, was added to describe server-side requirements
for proper SSL and/or TLS service offerings. These are not specific to
fetchmail.
+* Documentation on how to make "NOMAIL" (exit code 1) not treated an error has
+ been added to the EXIT CODES section of the manpage and to the FAQ as item C8.
+ The suggested solution uses a tiny POSIX shell script fragment.
+ Fixes Debian Bug #530749, filed by Reuben Thomas.
# TRANSLATION UPDATES AND ADDITIONS (ordered by language name):
-* [cs] Czech (Petr Pisar)
+* [cs] Czech (Petr Pisar)
* [en_GB] English/British
* [de] German
* [id] Indonesian (Andhika Padmawan)
* [zh_CN] Chinese/Simplified (Ji ZhengYu)
-fetchmail 6.3.9 (2008-11-16):
+fetchmail 6.3.9 (released 2008-11-16):
# SECURITY AND CRITICAL BUG FIXES:
* CVE-2007-4565: Denial of service: When fetchmail tries to inject a warning
res_search() and dn_skipname() are only used together and scheduled for
removal in future versions, so this is probably fine.
* No longer complain about invalid sslproto "" when POP3 CAPA probe fails.
- Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson).
+ Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson),
+ Red Hat Bug#503881.
Thanks to Matthias Strauß for a configuration to reproduce the issue.
* Allow .fetchmailrc and .fetchids to be symlinks, as the manpage does not
document they aren't allowed - fixes Debian Bug #452907 (Roger Leigh).
a MySQL/Tcl-based client-side "delete-after" feature.
Kindly donated by Yoo GmbH, Großvoigtsberg, Germany (Carsten Ralle).
-# KNOWN BUGS AND WORKAROUNDS:
- (this section floats upwards through the NEWS file so it stays with the
- current release information)
-* fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
- 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
- fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
- so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail does not track pending deletes over crashes
-* the command line interface is a bit narrow-minded sometimes, for instance,
- fetchmail -s doesn't work with a running daemon
-* some of the logging output is not very helpful
-* some of the documentation is still not up to date
-
-
fetchmail 6.3.7 (released 2007-02-18):
projects / ~andy / fetchmail / blobdiff