* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
+* SIGHUP wakeup may be removed from a future fetchmail release and cause it
+ to terminate.
+* Support for operating systems that are not sufficiently POSIX compliant may be
+ removed or operation on such systems may be suboptimal for future releases.
--------------------------------------------------------------------------------
-fetchmail 6.3.5 (not yet released):
+fetchmail 6.3.6 (not yet released):
+
+# SECURITY FIXES (CHANGE BEHAVIOUR):
+* CVE-2006-5867, fetchmail-SA-2006-02.txt:
+ Password disclosure vulnerability. This has several aspects:
+
+ - Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
+ options are used, to be sure there is a certificate to check against.
+
+ - Fetchmail breaks the connection if the TLS negotiation (or verification, if
+ requested) fails with sslproto 'tls1' (also applies if this is implicit).
+
+ - POP3 connections ignored STLS altogether in many circumstances, because
+ fetchmail did not probe server capabilities for all values of "auth" - see
+ fetchmail-SA-2006-02.txt for details.
+
+ - POP3 connections could retry USER/PASS authentication even if strong
+ challenge-response schemes such as CRAM-MD5 had explicitly been requested,
+ if these were not advertised in the CAPA response.
+
+ - POP2 is obsolete and does not support STLS or anything beyond password-based
+ authentication. The attempt to use STLS or stronger authenticators causes
+ connection abort.
+
+ Configurations using --ssl --sslcertck however have been semi-safe in that
+ they would not expose the password over the wire.
+
+# SECURITY FIX:
+* CVE-2006-5974, fetchmail-SA-2006-03.txt:
+ Repair regression in 6.3.5 that crashes fetchmail when a message with invalid
+ headers is found while fetchmail's mda option is in use. BerliOS bugs #9364,
+ #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+
+# BUG FIXES:
+* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
+ reported by Brian Harring.
+* POP3: Probe capabilities when Kerberos V5 is attempted.
+* RPOP: The password is now shrouded in the local logs.
+* Robustness: If a stale lockfile cannot be deleted, truncate it to avoid
+ trouble later if the PID is recycled by a non-fetchmail process.
+* On systems that have res_search(), assume we also have res_init() and call it
+ (suggested by Ulrich Drepper, glibc bug #3675) in order to make libc or
+ libresolv reread the resolver configuration at the beginning of a poll cycle.
+ This is important when fetchmail is in daemon mode and /etc/resolv.conf is
+ changed later by dhcpcd, dhclient, pppd, openvpn or other ip-up/ipchange
+ scripts. Should fix Debian Bug#389270, Bug#391698.
+* Fix crash on systems that do not provide strdup() in out-of-memory conditions.
+ Patch by Andreas Krennmair.
+
+# CHANGES:
+* Remove excess no-op strcpy() after strdup() found by Andreas Krennmair.
+* Remove handling for PS_TRUNCATED (code 27), which was never asserted.
+* Improve handling of IMAP IDLE, some servers do not reset their time counters
+ after sending information asynchronously. Patch by Sunil Shetye, after report
+ from Andrew Baumann.
+
+# TRANSLATIONS:
+* New en_GB (British English) translation by David Lodge.
+* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
+ Maryanov) and Vietnamese (Clytie Siddall) translations.
+
+# DOCUMENTATION:
+* Dropped exit status 15 from manual page, it's not used by fetchmail.
+ Reported by Isaac Wilcox.
# KNOWN BUGS AND WORKAROUNDS:
(this section floats upwards through the NEWS to be on top of the list)
Either compile 32-bit code or use GCC to compile 64-bit fetchmail.
Note that fetchmail doesn't take advantage of 64-bit code anyways,
so compiling 32-bit SPARC code should be fine.
-* The code still isn't 100% ISO-C compliant, some configurations attempt to
- compile files that are empty after preprocessing, which can cause compiler
- diagnostics and perhaps jam the compilation on strict compilers.
* fetchmail expects Received: headers in a particular format when parsing
envelopes.
+* fetchmail does not track pending deletes over crashes
+* the command line interface is a bit narrow-minded sometimes, for instance,
+ fetchmail -s doesn't work with a running daemon
+* some of the logging output is not very helpful
+* some of the documentation is still not up to date
+
+fetchmail 6.3.5 (released 2006-10-09):
# BUG FIXES:
* For protocols such as IMAP that are not delimited by "." lines, truncate the
guessing.
* Improve --with-gssapi auto detection for /usr-based GSSAPI installs.
* Fix --with-gssapi builds for NetBSD 3.0.
+* Improve KAME/getnameinfo.c portability to Linux libc5 systems.
+ Based on a patch by Dan Fandrich.
+* Provide INET6 to KAME/getnameinfo.c (only useful on IPv6-enabled systems that
+ lack getnameinfo, and there only visible in some Received: headers).
+ Found by Dan Fandrich.
+* POP3: some UID flags may not be set properly on UIDL lists. (Sunil Shetye)
+* Make IMAP4 IDLE work on servers that do not update RECENT counts.
+ Reported by Lars Tewes.
+* IMAP4 patch by Sunil Shetye:
+ - do not depend on server updating RECENT counts at all
+ - also enter IDLE loop when messages are present on the server.
+* Fix --flush description in the manual page, fetchmail does not mark messages
+ seen unless it has successfully delivered them. Suggested by Frederic Marchal.
+* Fetchmail no longer attempts to stat the "-" file in daemon mode -- this is a
+ special name to read the RC file from stdin, and cannot always be re-read
+ anyways. BerliOS bug #7858.
+* When looking up ports for a service, the lookup succeeds and the returned
+ address family isn't IPv4 or IPv6, properly free the allocated memory from the
+ service lookup. Found by Uli Zappe.
+* When looking up ports for a service, only look up TCP ports.
+* Avoid compiling empty files, to avoid diagnostics from strict compilers.
+* If the lockfile ends before the process ID, treat it as stale and unlink it.
+ Reported by Justin Pryzby, Debian Bug #376603.
+* SIGHUP wake-up behavior was broken since 5.9.13's Cygwin changes, in that for
+ non-root users, SIGHUP would abort the first poll and subsequently interfere
+ with new polls, and SIGHUP would be ignored for root users. SIGHUP now matches
+ documented behavior. SIGUSR1 has always been a wakeup signal for both root
+ (undocumented) and non-root users. See also the deprecation warning above.
+* Track getaddrinfo() results to properly free them after timeouts and make sure
+ that getaddrinfo() isn't interrupted by a timeout (which breaks on MacOS X),
+ reported by Uli Zappe. This should fix Debian Bug#294547 and Bug#377135.
+* --logfile is now handled more carefully, errors opening the logfile are
+ now reported to the TTY where fetchmail was started from.
+* fetchmail now complains and aborts when it cannot properly daemonize itself.
+* fix compilation on systems that don't know struct addrinfo (Solaris 2.6).
+* ignore SIGPIPE signals and rely on functions to return EPIPE instead. This is
+ necessary because the former longjmp() from the signal handler is unsafe and
+ makes the whole fetchmail behavior undefined after the event.
+* Avoid crash in env.c/host_fqdn if we cannot canonicalize our own hostname.
+ Reported by Alexander Holler.
+* SSL fix by Miloslav Trmac (Red Hat): free the SSL contexts after the
+ connection, to avoid from growing SSL certpaths without bounds, avoid using
+ SSL contexts for unrelated connections, and to fix Red Hat Bug #206346.
# CHANGES:
* Rename all fetchmail-internal lock_* functions to fm_lock_*. Obsoletes
NetBSD portable packages collection patch-ah, patch-ai and patch-aj.
* Configure prints a warning (but proceeds) if Kerberos IV support is enabled.
+* In verbose mode, log every IP fetchmail tries to connect to, to avoid
+ misleading the user. Suppress EAFNOSUPPORT errors from socket() call, too.
+ Fixes Debian Bug #361825, reported by Daniel Baur.
+* In idle mode, fetchmail complains about the fetchall option.
+* When a connection fails, log not only the IP address, but also host and
+ service name and the port number. Log the latter when trying to connect in
+ verbose mode, too.
+* Keep syslog output at one line per message (this works if no errors occur).
+* Fetchmail in verbose mode now logs if it opportunistically upgrades a POP3
+ or IMAP connection to TLS security with STLS/STARTTLS.
+* fetchmail now supports foo@example.org=bar user mappings for multidrop boxes.
+* switch setjmp/longjmp to sigsetjmp/siglongjmp
+* IMAP now supports the EXTERNAL authentication method, courtesy of
+ Götz 'nimrill' Babin-Ebell, BerliOS patch #1095 with minor changes.
+ Note that this change causes --sslcert to override --user.
+* The sslproto keywords are now case insensitive, courtesy of
+ Götz 'nimrill' Babin-Ebell, BerliOS patch #1095.
+* When going to sleep, log for how long. Suggested by Claudia Ludwig.
+* When the server name cannot be canonicalized, log the gai_strerror value.
# TRANSLATION UPDATES:
-* Russian/ru (Pavel Maryanov), Vietnamese/vi (Clytie Siddall)
+* Catalan/ca (Ernest Adrogué Calveras), Japanese/ja (Takeshi Hamasaki) - also
+ made gettext 0.15 ready, Polish/pl (Jakub Bogusz), Russian/ru (Pavel
+ Maryanov), Spanish/es (Héctor García Álvarez), Vietnamese/vi (Clytie Siddall)
# CONTRIBUTED SCRIPTS:
* PopDel.py was revised by Joshua Crawford to display the From: address and
projects / ~andy / fetchmail / blobdiff