* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
+* The --principal option may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
--------------------------------------------------------------------------------
-fetchmail-6.3.17 (not yet released):
+fetchmail-6.3.18 (not yet released):
+
+# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
+* Fetchmail now only accepts wildcard certificate common names and subject
+ alternative names if they start with "*.". Previous versions would accept
+ wildcards even if no period followed immediately.
+* Fetchmail now disallows wildcards in certificates to match domain literals
+ (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
+ The test is overly picky and triggers if the pattern (after skipping the
+ initial wildcard "*") or domain consists solely of digits and dots, and thus
+ matches more than needed.
+* Fetchmail now disallows wildcarding top-level domains.
+
+# BUG FIXES
+* Fetchmail would warn about insecure SSL/TLS connections even if a matching
+ --sslfingerprint was specified. This is an omission from an SSL usability
+ change made in 6.3.17. Fixes Debian Bug#580796 reported by Roland Stigge.
+* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
+ functions, as an effect of an undocumented Solaris MD5 fix.
+ This fails if, for instance, libmd5.so was installed on other operating
+ systems as part of libwww on machines where long isn't 32-bits. Fixes Gentoo
+ Bug #319283, reported - including the hint to libwww - by Karl Hakimian.
+ Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
+* Fetchmail will no longer print connection attempts and errors for one host
+ in "silent" and "normal" logging modes, unless all connections fail. This
+ should reduce irritation around refused-connection logging if services are
+ only on an IPv4 socket if the host also supports IPv6. Often observed as
+ connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
+ then - silently - succeeds. Fetchmail, unless in verbose mode, will collect
+ all connect errors and only report them if all of them fail.
+* Fetchmail will now apply timeouts to the authentication stage. This stage
+ encompasses STARTTLS/STLS negotiation in IMAP/POP3.
+ Reported missing by Thomas Jarosch.
+* Fetchmail will not try GSSAPI authentication automatically unless it has GSS
+ credentials. This avoids getting servers such as Exchange 2007 wedged if
+ GSSAPI authentication fails. Reported by Patrick Rynhart, Debian Bug #568455,
+ and Alan Murrell, to the fetchmail-users list.
+ Note that if GSSAPI fails for other reasons, you can use the --auth option to
+ work around that.
+* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
+ RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
+* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
+ errors. It now sends an asterisk on a line by its own, as required in SASL.
+ This should fix protocol synchronization issues that cause Authentication
+ failure, particularly with Exchange 2007 and Exchange 2010 servers, when
+ Kerberos authentication was offered by the server and attempted by fetchmail.
+* The manual page clearly states that --principal is for Kerberos 4 only, not
+ for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
+
+# CHANGES
+* When encountering incorrect headers, fetchmail will refer to the bad-header
+ option in the manpage. BerliOS Bug #17272, change suggested by Björn Voigt.
+* Fetchmail now decodes and reports GSSAPI status codes upon errors.
+
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+# KNOWN BUGS AND WORKAROUNDS:
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information - however, it was stuck with 6.3.8 for a while)
+* fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail does not track pending deletes over crashes
+* the command line interface is sometimes a bit stubborn, for instance,
+ fetchmail -s doesn't work with a daemon running
+* Linux may return duplicates of an IP address in some circumstances if no or
+ no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585,
+ Novell Bug#606980.)
+
+
+fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):
# SECURITY FIX
* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
OpenSSL library updates that affect the hash function.
* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
environment variable to force loading the default SSL CA certificate
- locations.
+ locations even if --sslcertfile or --sslcertpath is used.
+ If neither option is in effect, fetchmail loads the default locations.
# REGRESSION FIX
* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
to missing root signing CAs in the certs directory.
* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
* Memory allocation failures will now cause abnormal program abort (SIGABRT),
- not exit with unspecified code.
+ no longer an exit with unspecified code.
+* Print a warning if certificate verification failed and the user did not
+ specify --sslcertck.
# DOCUMENTATION
* Fix table of global option to read "set softbounce" where there used to be a
to 1.0.0 upgrade in particular) may require running c_rehash.
# TRANSLATION UPDATES
- [zh_CN] Chinese/simplified (Ji ZhengYu)
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[sk] Slovak (Marcel Telka)
[vi] Vietnamese (Clytie Siddall)
-# KNOWN BUGS AND WORKAROUNDS:
- (this section floats upwards through the NEWS file so it stays with the
- current release information - however, it was stuck with 6.3.8 for a while)
-* fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
- 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
- fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
- so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail does not track pending deletes over crashes
-* the command line interface is sometimes a bit stubborn, for instance,
- fetchmail -s doesn't work with a daemon running
-
fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):
# CHANGE
* Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory
- algorithms in certificates. Sjoerd Simons, to fix Debian Bug #576430.
+ and non-standard algorithms in certificates.
+ Sjoerd Simons, to fix Debian Bug #576430.
OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default.
Reported as OpenSSL RT#2224.