Release Notes:
-(The `lines' figures total .c, .h, .l, and .y files under version control.)
+(The `lines' figures total .c, .h, .l, and .y files under version control.
+Names in parentheses are the maintainers who handled the respective change.
+Abbreviations: MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk)
fetchmail 6.3.0 (not yet released officially):
-* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP.
-* PopDel.py removed from contrib at author's request.
-* Matthias Andree's fix for Sunil Shetye's fetch-split patch
-* Include James Stone's moldremover.py script.
-* Enable .fetchmailrc permissions checking under Cygwin.
-* Nalin Dahyabai's fix for POP3 strong authentication.
-* Revised Nalin Dahyabai's fix for POP3 strong authentication (Matthias
- Andree, the original version would go into an infinite loop when CAPA
- failed; found by David Greaves.)
-* HOME_ETC patch for PLD Linux.
-* Sunil Shetye's fix for SSL configuration.
-* Simon Josefsson's patch for GSS library support.
-* Added Andrey Lelikov's recupe for Hotmail and Lycos Webmail.
+# SECURITY FIX
+* The POP3 UIDL code doesn't sufficiently validate/truncate the input
+ length, so a (malicious or compromised) server that sends UIDs longer
+ than 128 bytes can corrupt fetchmail's stack and crash fetchmail.
+ This vulnerability is remotely exploitable to inject code run in a
+ root shell. This is tracked under the CVE Name: CAN-2005-2335
+
+# MAJOR INCOMPATIBLE CHANGES
+* Remove support for --netsec/-T options, the required inet6_apps library is no
+ longer available.
+ http://www.inner.net/pub/ipv6/ states, as of 2005-07-03: "/pub/ipv6
+ Our IPv6 software is now long defunct. Please find a more modern source."
+ I haven't been able to find a more modern source. Matthias Andree
+
+# OTHER USER-VISIBLE CHANGES
+* Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP. (ESR)
+* PopDel.py removed from contrib at author's request. (ESR)
+* Matthias Andree's fix for Sunil Shetye's fetch-split patch. (ESR)
+* Include James Stone's moldremover.py script. (ESR)
+* Enable .fetchmailrc permissions checking under Cygwin. (ESR)
+* Nalin Dahyabai's fix for POP3 strong authentication. (ESR)
+* Revised Nalin Dahyabai's fix for POP3 strong authentication (the
+ original version would go into an infinite loop when CAPA failed;
+ found by David Greaves.) (MA)
+* HOME_ETC patch for PLD Linux. (ESR)
+* Sunil Shetye's fix for SSL configuration. (ESR)
+* Simon Josefsson's patch for GSS library support. (ESR)
+* Added Andrey Lelikov's recipe for Hotmail and Lycos Webmail. (ESR)
* Remove blank between MAIL FROM: and <, which causes Cyrus to complain.
- Patch by Phil Endecott. (Rob Funk)
-* Switched to automake. (Matthias Andree)
-* Build fixes for HESIOD and resolv.h trouble on FreeBSD. (Matthias Andree)
+ Patch by Phil Endecott. (RF)
+* Build fixes for HESIOD and resolv.h trouble on FreeBSD. (MA)
* Fabrice Bellet's fix for Red Hat bug #113492, fetchmail hangs in IMAP
mode after EXPUNGE when the server (Dovecot 0.99.10) doesn't update
- RECENT and EXISTS counts. (Matthias Andree)
+ RECENT and EXISTS counts. (MA)
* Holger Mauermann's bounce patch, to use a NULL envelope from, not
write a Return-Path header (both to meet RFC-2821), changed From,
- added Subject header, rewording the human readable part. (Matthias Andree)
-* Merge Sunil Shetye's time.h handling fix. (Matthias Andree)
+ added Subject header, rewording the human readable part. Fixes Debian
+ bug #316446. (MA)
+* Merge Sunil Shetye's time.h handling fix. (MA)
* Merge Gerd von Egidy's patch to avoid a segfault in multidrop/received
- mode when the Received: headers are malformatted. (Matthias Andree)
-* MIME-encode bodies and Subject headers of warning messages (Matthias
- Andree), limiting the header to 7 bits.
+ mode when the Received: headers are malformatted. (MA)
+* MIME-encode bodies and Subject headers of warning messages, limiting
+ the header to 7 bits. (MA)
* Normalize most locale codesets to IANA codesets, based on
- norm_charmap.c by Markus Kuhn. (Matthias Andree)
-* Remove sleep(3) after POP3 login, patch by Brian Candler. (Matthias
- Andree)
+ norm_charmap.c by Markus Kuhn. (MA)
+* Remove sleep(3) after POP3 login, patch by Brian Candler. (MA)
* Fix option parsing bug that trashes the showdots setting when more
- than one server is configured. Patch by Brian Candler. (Matthias
- Andree)
+ than one server is configured. Patch by Brian Candler. (MA)
* Honor sslcertpath setting even if sslcertck is unset. Patch by Brian
- Candler. (Matthias Andree)
+ Candler. (MA)
* SSL certificate checking fixes, don't display same error message twice
in succession, make sure that Common Name and fingerprint checking are
only done once. Print all validation warnings/errors even if not in
- verbose mode. Patch by Brian Candler. (Matthias Andree)
+ verbose mode. Patch by Brian Candler. (MA)
* Import Bjorn Reese and Daniel Stenberg's MIT-licensed Trio 1.10 from
http://daniel.haxx.se/projects/trio/ for systems that do not support
- snprintf or vsnprintf. (Matthias Andree)
+ snprintf or vsnprintf. (MA)
* Clean up the horrible #ifdef HAVE_[V]SNPRINTF that made the code
- unreadable. Use Trio where [v]snprintf is/are missing. (Matthias Andree)
+ unreadable. Use Trio where [v]snprintf is/are missing. (MA)
* Default to Linux 2.2 /proc/net/dev format, and use uname(2) to determine the
- kernel version instead of calling uname(1). Thanks to Paul Slootman.
- (Matthias Andree)
+ kernel version instead of calling uname(1). Thanks to Paul Slootman. (MA)
* Be more careful when swapping UID lists or writing the .fetchids file,
- requested by Manfred Weihs. (Matthias Andree)
+ requested by Manfred Weihs. (MA)
* Print a warning if multidrop configuration is attempted without
- envelope option. (Matthias Andree)
+ envelope option. (MA)
* Split information on fetchmail versions before 6.0.0 to a separate
- OLDNEWS file. (Matthias Andree)
+ OLDNEWS file. (MA)
* Merge SuSE patches: (sent by Stanislav Brabec, merged by Matthias Andree)
- fetchmail-6.2.5-declaration.patch (double sigint_handler decl/getpass.c)
- fetchmail-6.2.5-implicit-declaration.patch (missing #include)
* Revised some bogus assertions about POP3 LAST and UIDL use in the
manual page. UIDL isn't flaky as the man page suggested, but a
reliability feature. In fact, IMAP4 code is flaky in that it relies on
- the upstream seen flags. (Matthias Andree)
+ the upstream seen flags. (MA)
* Miloslav Trmac's patch for fetchmailconf to support string-type values
of the "port" variable, avoiding "port None" corruption in .fetchmailrc.
- To fix Redhat Bug #55623 (Matthias Andree)
-* de.po fixes from Nico Golde (Matthias Andree)
-* es.po fixes from Jesus Roncero, Debian bug #286044 (Matthias Andree)
+ To fix Redhat Bug #55623 (MA)
+* de.po fixes from Nico Golde (MA)
+* es.po fixes from Jesus Roncero, Debian bug #286044 (MA)
* sink.c fix from Cesar Eduardo Barros, to avoid double @ in address
when username contains an @ and the envelope sender is null, Debian
- bug #272289 (Matthias Andree)
-* configure.ac cleanups by Miloslav Trmac (Matthias Andree)
+ bug #272289 (MA)
+* configure.ac cleanups by Miloslav Trmac (MA)
* Miloslav Trmac's fix to reply_hack() type, for systems where
- sizeof(int) != sizeof(size_t). (Matthias Andree)
+ sizeof(int) != sizeof(size_t). (MA)
* Nalin Dahyabhai's fix for driver.c to not call the private Kerberos
- krb5_init_ets() function. Sent by Miloslav Trmac. (Matthias Andree)
+ krb5_init_ets() function. Sent by Miloslav Trmac. (MA)
* Nalin Dahyabhai's fix for sink.c/transact.c to reserve sufficient
space for \r\n trailers in snprintf calls. Sent by Miloslav Trmac,
- possibly fixing Red Hat bug #114470. (Matthias Andree).
+ possibly fixing Red Hat bug #114470. (MA).
* Nalin Dahyabhai's patch to use the krb5-config script, if present.
- Sent by Miloslav Trmac. (Matthias Andree)
+ Sent by Miloslav Trmac. (MA)
+* Nalin Dahyabhai's fix to make rpa.c compile. Sent by Miloslav Trmac.
+ (MA)
+* Trivial fetchmailconf.man to redirect to fetchmail.1.
+ Reported by Miloslav Trmac. (MA)
+* Updated and re-enabled Czech translation, by Miloslav Trmac (MA).
+* Internationalization (i18n) updates by Miloslav Trmac. (MA)
+* Fix "couldn't find canonical DNS name of NN (MM)" for hosts that have
+ only IPv6 addresses. Matthias Andree.
+* Revised INSTALL after question from Brian Candler, inet6-apps is no
+ longer available: remove inet6-apps hints for IPv6, and add some
+ apologetic message for IPsec. Note the code may be removed in a future
+ version. Matthias Andree.
+* Brian Candler's FAQ update about SSL certificate verification. (MA)
+* Nico Golde's patch to support "proto RPOP" in the configuration file,
+ reported by Dr. Andreas Krüger, Debian bug #242384 (MA)
+* Added Russian translation, courtesy of Pavel Maryanov of the
+ Russian translation team. (MA)
+* Dropped da=Danish, el=Greek, ja=Japanese, sq=Albanian and tr=Turkish
+ translations which have more than 10% (61+) untranslated or fuzzy
+ messages. Matthias Andree.
+* Skip sending POP3 PASS command when USER command failed. Matthias Andree.
+* Run fetchmail.man through automatic spell checker. Matthias Andree.
+* Major fetchmail(1) manual page overhaul by R. Hannes Beinert, to
+ clarify singledrop vs. multidrop operation. (MA)
+* Make tracepolls a server option, as documented. Fixes Debian bug
+ #156094. Matthias Andree.
+* Updated some translations. (MA)
+* Fix some minor inaccuracies (RFC-1893 related, grammar/spelling) in
+ the manual page.
+* Rename ESR's design notes to esrs-design-notes.html and add a new
+ design-notes.html document. The NOTES file will contain both of them.
+ Matthias Andree.
+* Fix Debian bug #301964, fetchmail leaks sockets when SSL negotiation
+ fails. Fix suggested Goswin Brederlow. (MA)
+* Really fix Debian Bug#207919 (garbage in Received: lines when smtphost set),
+ patch by Tobias Diedrich. The 6.2.5 NEWS claimed Gregan's patch had fixed
+ #207919 but it had fixed #212484 instead and #207919 remained unfixed in
+ 6.2.5. The entry below has been corrected to read #212484 now. (MA)
+* When writing the PID file, write a FHS 2.3 compliant PID file.
+ Fixes Debian bug #230615. Matthias Andree.
+* Make ODMR really silent, suppress "fetchmail: receiving message
+ data". Fixes Debian Bug#296163. Matthias Andree.
+* Add From: header to warning emails. Debian Bug#244828. Matthias Andree.
+* Fix IMAP code to use password of arbitrary length from configuration
+ file (although not when read interactively). Debian Bug#276424.
+ Matthias Andree
+* Document that fetchmail may automatically enable UIDL option.
+ Debian Bug#304701. Matthias Andree.
+* Delete oversized messages with --flush when daemon mode isn't used.
+ Debian Bug#212240. Matthias Andree.
+* Put *BOLD* text into the manual page near --mda to state unmistakably that
+ the --mda %T and %F substitutions add single quotes, hoping to avoid bogus
+ bug reports such as Debian Bug #224564. Matthias Andree
+* Rename lock_release to fm_lock_release, to avoid namespace collision on
+ Darwin. NetBSD PR#28543 (pkg/28543). Matthias Andree.
+* The RFC-822 parser no longer strips the last character of bare addresses.
+ Matthias Andree
+* The IP address matching code was broken and
+ 1. didn't search exhaustively, but matched only the first IP address of the
+ server's queryname against the IP addresses of the server name to match.
+ 2. didn't match IP aliases versus MX hosts. Matthias Andree
+* gettext (intl/) has been removed from the fetchmail package. Install GNU
+ gettext 0.14 separately for NLS (i18n). Matthias Andree
+* fetchmailconf is now a shell wrapper that calls the byte-compiled
+ fetchmailconf.py script, which is now installed in the regular python
+ directory. Matthias Andree.
+* The "port" option, while still understood, is being replaced by the "service"
+ option, which is now supported even without --enable-inet6. Matthias Andree.
+* The default distribution format is now bzip2. Matthias Andree.
+* fetchmailconf redirects fetchmail's input from /dev/null so it doesn't
+ wait for the user to enter a password when the user doesn't even see
+ the prompt. Reported by Michal Marek. Matthias Andree.
+* Write RFC-compliant BSMTP envelopes. Reported by Nico Golde. Matthias Andree.
+* Fix --with-gssapi compilation problem. Simon Josefsson. (MA)
+
+# INTERNAL CHANGES
+* Switched to automake. Matthias Andree.
+* Got rid of alloca() in fetchmail proper. Matthias Andree
+* Got rid of ipv6-connect, inner_connect and thereabouts. Matthias Andree
fetchmail-6.2.5 (Wed Oct 15 18:39:22 EDT 2003), 23079 lines:
* Updated Spanish, Turkish, and German translation files.
* Matthew Gregan's patch to handle garbage lengths from dbmail;
- closes Debian bug #207919.
+ closes Debian bug #212484.
* Fix IMAP query so new-message count doesn't include deleted messages.
* Man page typo fix, closes Debian bug #205892.
* OpenSSL cleanup patches from levinedl@acm.org.
* Updated de and po translations.
There are 520 people on fetchmail-friends and 683 on fetchmail-announce.
+
+ vim:tw=79 com=bf\:* ts=8 sts=8 sw=8 ai: