--------------------------------------------------------------------------------
-fetchmail 6.3.5 (not yet released):
+fetchmail 6.3.6 (not yet released):
+
+# SECURITY FIXES (CHANGE BEHAVIOUR):
+* CVE-2006-5867, fetchmail-SA-2006-02.txt:
+ Password disclosure vulnerability. This has several aspects:
+
+ - Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
+ options are used, to be sure there is a certificate to check against.
+
+ - Fetchmail breaks the connection if the TLS negotiation (or verification, if
+ requested) fails with sslproto 'tls1' (also applies if this is implicit).
+
+ - POP3 connections ignored STLS altogether in many circumstances, because
+ fetchmail did not probe server capabilities for all values of "auth" - see
+ fetchmail-SA-2006-02.txt for details.
+
+ - POP3 connections could retry USER/PASS authentication even if strong
+ challenge-response schemes such as CRAM-MD5 had explicitly been requested,
+ if these were not advertised in the CAPA response.
+
+ - POP2 is obsolete and does not support STLS or anything beyond password-based
+ authentication. The attempt to use STLS or stronger authenticators causes
+ connection abort.
+
+ Configurations using --ssl --sslcertck however have been semi-safe in that
+ they would not expose the password over the wire.
+
+# SECURITY FIX:
+* CVE-2006-5974, fetchmail-SA-2006-03.txt:
+ Repair regression in 6.3.5 that crashes fetchmail when a message with invalid
+ headers is found while fetchmail's mda option is in use. BerliOS bugs #9364,
+ #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+
+# BUG FIXES:
+* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
+ reported by Brian Harring.
+* POP3: Probe capabilities when Kerberos V5 is attempted.
+* RPOP: The password is now shrouded in the local logs.
+* Robustness: If a stale lockfile cannot be deleted, truncate it to avoid
+ trouble later if the PID is recycled by a non-fetchmail process.
+* On systems that have res_search(), assume we also have res_init() and call it
+ (suggested by Ulrich Drepper, glibc bug #3675) in order to make libc or
+ libresolv reread the resolver configuration at the beginning of a poll cycle.
+ This is important when fetchmail is in daemon mode and /etc/resolv.conf is
+ changed later by dhcpcd, dhclient, pppd, openvpn or other ip-up/ipchange
+ scripts. Should fix Debian Bug#389270, Bug#391698.
+* Fix crash on systems that do not provide strdup() in out-of-memory conditions.
+ Patch by Andreas Krennmair.
+
+# CHANGES:
+* Remove excess no-op strcpy() after strdup() found by Andreas Krennmair.
+* Remove handling for PS_TRUNCATED (code 27), which was never asserted.
+* Improve handling of IMAP IDLE, some servers do not reset their time counters
+ after sending information asynchronously. Patch by Sunil Shetye, after report
+ from Andrew Baumann.
+
+# TRANSLATIONS:
+* New en_GB (British English) translation by David Lodge.
+* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
+ Maryanov) and Vietnamese (Clytie Siddall) translations.
+
+# DOCUMENTATION:
+* Dropped exit status 15 from manual page, it's not used by fetchmail.
+ Reported by Isaac Wilcox.
# KNOWN BUGS AND WORKAROUNDS:
(this section floats upwards through the NEWS to be on top of the list)
so compiling 32-bit SPARC code should be fine.
* fetchmail expects Received: headers in a particular format when parsing
envelopes.
+* fetchmail does not track pending deletes over crashes
+* the command line interface is a bit narrow-minded sometimes, for instance,
+ fetchmail -s doesn't work with a running daemon
+* some of the logging output is not very helpful
+* some of the documentation is still not up to date
+
+fetchmail 6.3.5 (released 2006-10-09):
# BUG FIXES:
* For protocols such as IMAP that are not delimited by "." lines, truncate the
with new polls, and SIGHUP would be ignored for root users. SIGHUP now matches
documented behavior. SIGUSR1 has always been a wakeup signal for both root
(undocumented) and non-root users. See also the deprecation warning above.
-* Track getaddrinfo() results to properly free them after timeouts,
- reported by Uli Zappe. This MIGHT fix Debian Bug#294547 and Bug#377135.
+* Track getaddrinfo() results to properly free them after timeouts and make sure
+ that getaddrinfo() isn't interrupted by a timeout (which breaks on MacOS X),
+ reported by Uli Zappe. This should fix Debian Bug#294547 and Bug#377135.
* --logfile is now handled more carefully, errors opening the logfile are
now reported to the TTY where fetchmail was started from.
* fetchmail now complains and aborts when it cannot properly daemonize itself.
* ignore SIGPIPE signals and rely on functions to return EPIPE instead. This is
necessary because the former longjmp() from the signal handler is unsafe and
makes the whole fetchmail behavior undefined after the event.
+* Avoid crash in env.c/host_fqdn if we cannot canonicalize our own hostname.
+ Reported by Alexander Holler.
+* SSL fix by Miloslav Trmac (Red Hat): free the SSL contexts after the
+ connection, to avoid from growing SSL certpaths without bounds, avoid using
+ SSL contexts for unrelated connections, and to fix Red Hat Bug #206346.
# CHANGES:
* Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes
or IMAP connection to TLS security with STLS/STARTTLS.
* fetchmail now supports foo@example.org=bar user mappings for multidrop boxes.
* switch setjmp/longjmp to sigsetjmp/siglongjmp
+* IMAP now supports the EXTERNAL authentication method, courtesy of
+ Götz 'nimrill' Babin-Ebell, BerliOS patch #1095 with minor changes.
+ Note that this change causes --sslcert to override --user.
+* The sslproto keywords are now case insensitive, courtesy of
+ Götz 'nimrill' Babin-Ebell, BerliOS patch #1095.
+* When going to sleep, log for how long. Suggested by Claudia Ludwig.
+* When the server name cannot be canonicalized, log the gai_strerror value.
# TRANSLATION UPDATES:
-* Russian/ru (Pavel Maryanov), Vietnamese/vi (Clytie Siddall)
+* Catalan/ca (Ernest Adrogué Calveras), Japanese/ja (Takeshi Hamasaki) - also
+ made gettext 0.15 ready, Polish/pl (Jakub Bogusz), Russian/ru (Pavel
+ Maryanov), Spanish/es (Héctor García Álvarez), Vietnamese/vi (Clytie Siddall)
# CONTRIBUTED SCRIPTS:
* PopDel.py was revised by Joshua Crawford to display the From: address and
projects / ~andy / fetchmail / blobdiff