* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
+* The --principal option may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
fetchmail-6.3.18 (not yet released):
+# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
+* Fetchmail now only accepts wildcard certificate common names and subject
+ alternative names if they start with "*.". Previous versions would accept
+ wildcards even if no period followed immediately.
+* Fetchmail now disallows wildcards in certificates to match domain literals
+ (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
+ The test is overly picky and triggers if the pattern (after skipping the
+ initial wildcard "*") or domain consists solely of digits and dots, and thus
+ matches more than needed.
+* Fetchmail now disallows wildcarding top-level domains.
+
# BUG FIXES
* Fetchmail would warn about insecure SSL/TLS connections even if a matching
--sslfingerprint was specified. This is an omission from an SSL usability
credentials. This avoids getting servers such as Exchange 2007 wedged if
GSSAPI authentication fails. Reported by Patrick Rynhart, Debian Bug #568455,
and Alan Murrell, to the fetchmail-users list.
-* Fetchmail now only accepts wildcard certificate common names and subject
- alternative names if they start with "*.". Previous versions would accept
- wildcards even if no period followed immediately.
+ Note that if GSSAPI fails for other reasons, you can use the --auth option to
+ work around that.
+* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
+ RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
+* Fetchmail now cancels GSSAPI authentication properly when encountering GSS
+ errors. It now sends an asterisk on a line by its own, as required in SASL.
+ This should fix protocol synchronization issues that cause Authentication
+ failure, particularly with Exchange 2007 and Exchange 2010 servers, when
+ Kerberos authentication was offered by the server and attempted by fetchmail.
+* The manual page clearly states that --principal is for Kerberos 4 only, not
+ for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.
# CHANGES
* When encountering incorrect headers, fetchmail will refer to the bad-header
option in the manpage. BerliOS Bug #17272, change suggested by Björn Voigt.
* Fetchmail now decodes and reports GSSAPI status codes upon errors.
+# TRANSLATION UPDATES
+ [zh_CN] Chinese/simplified (Ji Zheng-Yu)
+ [cs] Czech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German
+ [it] Italian (Vincenzo Campanella)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
# KNOWN BUGS AND WORKAROUNDS:
(this section floats upwards through the NEWS file so it stays with the
current release information - however, it was stuck with 6.3.8 for a while)