Abbreviations in parentheses are the maintainers who committed the respective
change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
-# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS
+# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
+(There are no plans to remove these features from a 6.3.X release, but they may
+be removed from a 6.4.0 or newer release.)
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
- are obsolete, deprecated and may be removed from a future fetchmail version.
- They have never supported IPv6 (including IPv6-mapped IPv4) anyhow.
+ are based on assumptions that are rarely met in practice, somewhat defective,
+ deprecated and may be removed from a future fetchmail version. They have
+ never supported IPv6 (including IPv6-mapped IPv4).
Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
- version as they are not sufficiently portable.
-* POP2 is obsolete.
- Support for POP2 may be removed from a future fetchmail version.
-* RPOP is obsolete, support may be removed from a future fetchmail release.
-* --sslcertck may become a default setting in a future fetchmail version.
+ version as they are not reasonably portable.
+* POP2 is obsolete, support will be removed from a future fetchmail version.
+* RPOP is obsolete, support will be removed from a future fetchmail release.
+* --sslcertck will become a default setting in a future fetchmail version.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
the Received header was never meant to be machine-readable, the format varies
widely, and various other differences in behavior make parsing Received an
- unreliable undertaking. The enveloper option as such will remain though, in
+ unreliable undertaking. The envelope option as such will remain though, in
order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
See also <http://home.pages.de/~mandree/mail/multidrop>.
-* The --enable-fallback (fall back to MDA if MTA unavailable) may be removed
- from a future fetchmail release.
+* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed
+ from a future fetchmail release, because it makes fetchmail's behavior
+ inconsistent and confusing.
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
-* SIGHUP wakeup may be removed from a future fetchmail release and cause it
- to terminate.
+* SIGHUP wakeup support may be removed from a future fetchmail release and
+ cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
removed or operation on such systems may be suboptimal for future releases.
--------------------------------------------------------------------------------
-fetchmail 6.3.6 (not yet released):
+fetchmail 6.3.9 (not yet released):
-# SECURITY FIXES (CHANGE BEHAVIOUR):
+# FIXES:
+* The configure script will additionally check for 'dn_skipname', to fix build
+ failures with µClibc. The new check still recognizes the resolver libraries on
+ Ubuntu 7.04, openSUSE 10.2, Solaris 8, NetBSD 4.0_BETA2 and FreeBSD 6.2.
+ Fixes Gentoo bug #134187.
+ NOTE: this is a bit of a hack, since we twist the HAVE_RES_SEARCH result, but
+ res_search() and dn_skipname() are only used together and scheduled for
+ removal in future versions, so this is probably fine.
+* No longer complain about invalid sslproto "" when POP3 CAPA probe fails.
+ Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson).
+ Thanks to Matthias Strauß for a configuration to reproduce the issue.
+
+# TRANSLATION UPDATES:
+* Polish (Jakub Bogusz)
+* Japanese (Takeshi Hamasaki)
+* Spanish (Javier Fernández-Sanguino Peña, Matthias Andree)
+* Vietnamese (Clytie Siddall)
+
+fetchmail 6.3.8 (released 2007-04-06):
+
+# SECURITY STRENGTHENING:
+* Make the APOP challenge parser more distrustful and have it reject challenges
+ that do not conform to RFC-822 msg-id format, in the hope to make mounting
+ man-in-the-middle attacks (MITM) against APOP a bit more difficult.
+ (CVE-2007-1558, reported by Gaëtan Leurent, published 2007-04-02 on Bugtraq)
+
+ APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
+ setups: based on MD5 collisions, it is purportedly possible to recover the
+ first three characters of the shared secret (password), which would then make
+ recovery of the shared secret a matter of hours or minutes; this would then
+ enable the attacker to impersonate the client vis-à-vis the server.
+
+ For further details, check
+ * Gaëtan Leurent, "Message Freedom in MD4 and MD5 Collisions: Application
+ to APOP", Fast Software Encryption 2007, Luxembourg. (Proceedings to appear in
+ Springer's Lecture Notes on Computer Science.)
+ * The mailing list discussion thread at
+ <http://lists.berlios.de/pipermail/fetchmail-devel/2007-March/000887.html>
+
+# BUG FIXES:
+* Fix pluralization of oversized-message warning mails.
+* Fix manual page: --sslcheck -> --sslcertck, and do not set trailing
+ "recommended:" in bold. Fixes Debian Bug #413059, reported by Rafal Czlonka.
+* Repoll immediately if a protocol error happens during the authentication
+ attempt after a failed opportunistic TLS upgrade.
+ Fixes comment #9 in Gentoo Bug #163782, reported by Takuto Matsuu.
+* Fix rendering of the "24 - 26, 28, 29" paragraph in the exit codes section.
+ Reported by Nico Golde.
+* If SOCKS support was compiled in, add 'socks' to the feature_options Python
+ list emitted in --configdump. Reported by Rob MacGregor.
+* Do not crash with a null pointer dereference when opening the BSMTP file
+ fails. Improve error checking and reporting. Reported by Reto Schüttel,
+ Debian Bug#416625. Fix based on a patch by Nico Golde.
+* Make BSMTP output actually work, it would persistently fail with SOCKET error
+ after writing the first header. Bug independently found and reported in
+ excellent detail by Reto Schüttel, Debian Bug#416812.
+
+# DOCUMENTATION:
+* Add fetchmail-SA-2007-01.txt
+* Extend --mda documentation, discourage use of qmail-inject.
+ Based on a patch by Rob MacGregor.
+* Document SOCKS configuration facility (SOCKS_CONF environment variable).
+ Thanks to Jochen Hayek, Michael Shuldman and Rob MacGregor.
+* Use envelope option in multidrop example. Patch by Rob MacGregor.
+* Document expected Received: line format when parsing for envelope addressees.
+* Stripped option documentation from sample.rcfile, since this is bound to go
+ out of synch with the manual page, which is the only reference on options.
+* Mention that --limit default is 0 bytes, which is special for "no limit".
+* Corrected Robert M. Funk's name that I misspelled. My sincere apologies
+ -- Matthias Andree.
+
+# CONTRIB:
+* Add delete-later and delete-later.README, a script and documentation for
+ a MySQL/Tcl-based client-side "delete-after" feature.
+ Kindly donated by Yoo GmbH, Großvoigtsberg, Germany (Carsten Ralle).
+
+# KNOWN BUGS AND WORKAROUNDS:
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information)
+* fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail does not track pending deletes over crashes
+* the command line interface is a bit narrow-minded sometimes, for instance,
+ fetchmail -s doesn't work with a running daemon
+* some of the logging output is not very helpful
+* some of the documentation is still not up to date
+
+
+
+fetchmail 6.3.7 (released 2007-02-18):
+
+# FIXES FOR REGRESSIONS IN 6.3.6
+* Fix KPOP. Patch by Miloslav Trmac.
+* Fix repoll when server disconnects after opportunistic TLS failed for POP3.
+ Berlios Bug #10133 = Gentoo Bug #163782 reported by Andrej Kacian.
+
+# TRANSLATION UPDATES
+* Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz)
+
+# CHANGES
+* Consider getaddrinfo() on Darwin 9 (Mac OS X 10.5 "Leopard") thread-safe.
+ Reported by Uli Zappe.
+
+
+fetchmail 6.3.6 (released 2007-01-04):
+
+# SECURITY FIXES:
* CVE-2006-5867, fetchmail-SA-2006-02.txt:
- Password disclosure vulnerability. This has several aspects:
+ Password disclosure vulnerability fixed. This has several aspects:
- Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
- options are used, to be sure there is a certificate to check against.
+ options are used and the ssl option is not used, in order to be sure that
+ fetchmail gets a certificate from the mail server.
- Fetchmail breaks the connection if the TLS negotiation (or verification, if
- requested) fails with sslproto 'tls1' (also applies if this is implicit).
+ requested) fails with sslproto 'tls1', sslfingerprint or sslcheck enabled.
- - POP3 connections ignored STLS altogether in many circumstances, because
- fetchmail did not probe server capabilities for all values of "auth" - see
- fetchmail-SA-2006-02.txt for details.
+ - POP3 connections now use STLS reliably. They used to ignore STLS altogether
+ for serveral values of the "auth" option, when fetchmail forget to probe
+ server capabilities - see fetchmail-SA-2006-02.txt for details.
- - POP3 connections could retry USER/PASS authentication even if strong
- challenge-response schemes such as CRAM-MD5 had explicitly been requested,
- if these were not advertised in the CAPA response.
+ - POP3 connections will no longer fall back USER/PASS authentication if
+ strong challenge-response authenticators such as CRAM-MD5 are configured
+ but the server does not advertise these in its CAPA response.
- POP2 is obsolete and does not support STLS or anything beyond password-based
- authentication. The attempt to use STLS or stronger authenticators causes
+ authentication. The attempt to use STLS or strong authenticators now causes
connection abort.
- Configurations using --ssl --sslcertck however have been semi-safe in that
- they would not expose the password over the wire.
+ Configurations using both ssl and sslcertck however have been semi-safe in
+ that they would send the password in the clear. The USER/PASS fallback
+ problem however applies to these too, so that the password was only safe on
+ trustworthy servers.
-# SECURITY FIX:
* CVE-2006-5974, fetchmail-SA-2006-03.txt:
- Repair regression in 6.3.5 that crashes fetchmail when a message with invalid
- headers is found while fetchmail's mda option is in use. BerliOS bugs #9364,
- #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+ Repairs a regression in 6.3.5 that crashes fetchmail when a message with
+ invalid headers is found while fetchmail's mda option is in use. BerliOS bugs
+ #9364, #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
-# BUG FIXES:
+# REGRESSION FIXES (recently introduced bugs)
* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
reported by Brian Harring.
-* POP3: Probe capabilities when Kerberos V5 is attempted.
-* RPOP: The password is now shrouded in the local logs.
-* Robustness: If a stale lockfile cannot be deleted, truncate it to avoid
- trouble later if the PID is recycled by a non-fetchmail process.
-* On systems that have res_search(), assume we also have res_init() and call it
- (suggested by Ulrich Drepper, glibc bug #3675) in order to make libc or
- libresolv reread the resolver configuration at the beginning of a poll cycle.
- This is important when fetchmail is in daemon mode and /etc/resolv.conf is
- changed later by dhcpcd, dhclient, pppd, openvpn or other ip-up/ipchange
- scripts. Should fix Debian Bug#389270, Bug#391698.
-* Fix crash on systems that do not provide strdup() in out-of-memory conditions.
- Patch by Andreas Krennmair.
+* Repair --user, broken in 6.3.5 (as a side effect of the authenticate external
+ patch): using SSL certificate/key authentication overrode the --user option.
+ Now the latter takes precedence, and only defaults to the certificate's common
+ name. Debian Bug #400950, reported by Jorgen Schaefer <forcer@debian.org>.
+
+# BUG FIXES (long-standing bugs):
+* RPOP: used to log the password locally rather than an asterisk as the other
+ protocols do. The password is now shrouded in the local logs.
+* POP3: Probes capabilities now when Kerberos V5 is enabled, so that we can
+ actually detect if the server supports it.
+* Robustness: If a stale lockfile cannot be deleted, truncate it so that
+ fetchmail doesn't later believe itself to be running if the PID is recycled
+ by a non-fetchmail process.
+* DNS: Detect /etc/resolv.conf changes: On systems that have res_search(),
+ assume we also have res_init() and call it (suggested by Ulrich Drepper,
+ glibc bug #3675) in order to make libc or libresolv reread the resolver
+ configuration at the beginning of a poll cycle. This is important when
+ fetchmail is in daemon mode and /etc/resolv.conf is changed later by dhcpcd,
+ dhclient, pppd, openvpn or other ip-up/ipchange scripts. Should fix Debian
+ Bug#389270, Bug#391698.
+* Robustness: Fix crash on systems that do not provide strdup(), the crash
+ happens only in out-of-memory conditions when fetchmail cannot proceed
+ anyways. Patch by Andreas Krennmair.
+* Robustness: When HOME and FETCHMAILHOME are unset, be sure to copy user
+ database information, so it is not trashed later. Patch by Jim Correia.
# CHANGES:
-* Remove excess no-op strcpy() after strdup() found by Andreas Krennmair.
-* Improve handling of IMAP IDLE, some servers do not reset their time counters
- after sending information asynchronously. Patch by Sunil Shetye, after report
- from Andrew Baumann.
+* Workaround: Improve handling of IMAP IDLE, some servers do not reset their
+ time counters after sending information asynchronously. Patch by Sunil
+ Shetye, after report from Andrew Baumann.
+* Usability: When requesting Kerberos or GSSAPI, complain and exit with syntax
+ error if any of these requested features has not been compiled in. This is
+ to fail early and with precise error message. Reported by Isaac Wilcox.
+* --version will now add +KRB4 or +KRB5 if Kerberos v4 or v5, respectively, have
+ been compiled in. Reported missing by Isaac Wilcox.
# TRANSLATIONS:
* New en_GB (British English) translation by David Lodge.
* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
Maryanov) and Vietnamese (Clytie Siddall) translations.
+! Note that not all these translations are complete -- this isn't the
+ translators' fault though, but due to delays at the BerliOS hosting site and
+ the translation project handlers. You may see a few untranslated messages.
# DOCUMENTATION:
* Dropped exit status 15 from manual page, it's not used by fetchmail.
Reported by Isaac Wilcox.
-
-# KNOWN BUGS AND WORKAROUNDS:
- (this section floats upwards through the NEWS to be on top of the list)
-* fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* Sun Workshop 6 (SPARC) is known to miscompile the lexer in 64-bit mode.
- Either compile 32-bit code or use GCC to compile 64-bit fetchmail.
- Note that fetchmail doesn't take advantage of 64-bit code anyways,
- so compiling 32-bit SPARC code should be fine.
-* fetchmail expects Received: headers in a particular format when parsing
- envelopes.
-* fetchmail does not track pending deletes over crashes
-* the command line interface is a bit narrow-minded sometimes, for instance,
- fetchmail -s doesn't work with a running daemon
-* some of the logging output is not very helpful
-* some of the documentation is still not up to date
+* Documented exit codes 24 - 29 as internal.
fetchmail 6.3.5 (released 2006-10-09):
projects / ~andy / fetchmail / blobdiff