X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=NEWS;h=559d4d228519d39f42d7f7c8ebe4c18465bf6b64;hb=53293ee30678d3db753e51820cc554c0b2b1bd97;hp=2ceef20ca8b02de578267d3beb19379b4b13e4c3;hpb=d82bc9feeecb2ec42953bbe78c243fc9deba0de1;p=~andy%2Ffetchmail diff --git a/NEWS b/NEWS index 2ceef20c..559d4d22 100644 --- a/NEWS +++ b/NEWS @@ -37,6 +37,8 @@ removed from a 6.4.0 or newer release.) * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. * Kerberos IV support may be removed from a future fetchmail release. +* Kerberos 5 support may be removed from a future fetchmail release. +* The --principal option may be removed from a future fetchmail release. * SIGHUP wakeup support may be removed from a future fetchmail release and cause fetchmail to terminate - it was broken for many years. * Support for operating systems that are not sufficiently POSIX compliant may be @@ -49,10 +51,302 @@ removed from a 6.4.0 or newer release.) * The --bsmtp - mode of operation may be removed in a future release. * Given that OpenSSL is severely underdocumented, and needs license exceptions, fetchmail may switch to a different SSL library. +* SSLv2 support will be removed from a future fetchmail release. It has been + obsolete for more than a decade. -------------------------------------------------------------------------------- -fetchmail-6.3.18 (not yet released): +fetchmail-6.3.25 (not yet released): + +# BUG FIXES +* Fix a memory leak in out-of-memory error condition while handling plugins. + Report and patch by John Beck (found with Parfait static code analyzer). +* Fix a NULL pointer dereference in out-of-memory error condition while handling + plugins. + Report and patch by John Beck (found with Parfait static code analyzer). + +# CHANGES +* Improved reporting when SSL/TLS X.509 certificate validation has failed, + working around a not-so-recent swapping of two OpenSSL error codes, and + a practical impossibility to distinguish broken certification chains from + missing trust anchors (root certificates). +* OpenSSL decoded errors are now reported through report(), rather than dumped + to stderr, so that they should show up in logfiles and/or syslog. + +# WORKAROUNDS +* Older systems that provide the older RFC-2553 implementation of getaddrinfo, + rather than the current RFC-3493, and systems that do not provide this + getaddrinfo() interface at all and thus use the replacement functions from + libesmtp/getaddrinfo.?, might return EAI_NODATA when a host is registered in + DNS as MX or similar, but without A or AAAA records. Handle this situation + when checking for multidrop aliases and treat EAI_NODATA the same as + EAI_NONAME, i. e. name cannot be resolved. + + The proper fix, however, is to upgrade the operating system. + + +fetchmail-6.3.24 (released 2012-12-23, 26108 LoC): + +# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR. +Should a 7.0 release be made earlier, chances are that the 6.3.X branch +is abandoned and its changes be folded into the 7.0 release, with changes +after 6.3.24 not available on their own in a newer 6.3.X release. + +# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO. + They have stopped accepting submissions and consider themselves an archive. + +# CRITICAL AND REGRESSION FIXES +* Plug a memory leak in OpenSSL's certificate verification callback. + This would affect fetchmail configurations running with SSL in daemon mode + more than one-shot runs. + Reported by Erik Thiele, and pinned by Dominik Heeg, + fixes Debian Bug #688015. + This bug was introduced into fetchmail 6.3.0 (committed 2005-10-29) + when support for subjectAltName was added through a patch by Roland + Stigge, submitted as Debian Bug#201113. + +* The --logfile option now works again outside daemon mode, reported by Heinz + Diehl. The documentation that I had been reading was inconsistent with the + code, and only parts of the manual page claimed that --logfile was only + effective in daemon mode. + +# KNOWN BUGS AND WORKAROUNDS + (This section floats upwards through the NEWS file so it stays with the + current release information) +* Fetchmail does not handle messages without Message-ID header well + (See sourceforge.net bug #780933) +* BSMTP is mostly untested and errors can cause corrupt output. +* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in + 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit + fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, + so compiling 32-bit SPARC code should not cause any difficulties. +* Fetchmail does not track pending deletes across crashes. +* The command line interface is sometimes a bit stubborn, for instance, + fetchmail -s doesn't work with a daemon running. +* Linux systems may return duplicates of an IP address in some circumstances if + no or no global IPv6 addresses are configured. + (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) +* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error + messages. This will not be fixed, because the maintainer has no Kerberos 5 + server to test against. Use GSSAPI. + + +fetchmail-6.3.23 (released 2012-12-10, 26106 LoC): + +# REGRESSION FIXES +* Fix compilation with OpenSSL implementations before 0.9.8m that lack + SSL_CTX_clear_options. Patch by Earl Chew. + Note that the use of older OpenSSL versions with fetchmail is unsupported and + *not* recommended. + +# BUG FIXES +* Fix combination of --plugin and -f -. Patch by Alexander Zangerl, + to fix Debian Bug#671294. +* Clean up logfile vs. syslog handling, and in case logfile overrides + syslog, send a message to the latter stating where logging goes. + +# CHANGES +* The build process can now be made a bit more silent and concise through + ./configure --enable-silent-rules, or by adding "V=0" to the make command. + +# WORKAROUNDS +* Make Maillennium POP3 workarounds less specific, to encompass + Maillennium POP3/UNIBOX (Maillennium V05.00c++). Reported by Eddie + via fetchmail-users mailing list, 2012-10-13. + +# TRANSLATION UPDATES +[cs] Czech, by Petr Pisar +[da] Danish, by Joe Hansen +[de] German +[fr] French, Frédéric Marchal +[ja] Japanese, Takeshi Hamasaki +[pl] Polish, by Jakub Bogusz +[sv] Swedish, by Göran Uddeborg +[vi] Vietnamese, Trần Ngọc Quân + + +fetchmail-6.3.22 (released 2012-08-29, 26077 LoC): + +# SECURITY FIXES +* for CVE-2012-3482: + NTLM: fetchmail mistook an error message that the server sent in response to + an NTLM request for protocol exchange, tried to decode it, and crashed while + reading from a bad memory location. + Also, with a carefully crafted NTLM challenge packet sent from the server, it + would be possible that fetchmail conveyed confidential data not meant for the + server through the NTLM response packet. + Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort + NTLM authentication in case of error. + See fetchmail-SA-2012-02.txt for further details. + Reported by J. Porter Clark. + +* for CVE-2011-3389: + SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure + against a certain kind of attack against cipher block chaining initialization + vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). + Whether this creates an exploitable situation, depends on the server and the + negotiated ciphers. + As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. + + NOTE that this can cause connections to certain non-conforming servers to + fail, in which case you can set the environment variable + FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting + fetchmail to re-instate the compatibility option at the expense of security. + + Reported by Apple Product Security. + + For technical details, refer to . + See fetchmail-SA-2012-01.txt for further details. + +# BUG FIX +* The Server certificate: message in verbose mode now appears on stdout like the + remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807. + +* The GSSAPI-related autoconf code now matches gssapi.c better, and uses + a different check to look for GSS_C_NT_HOSTBASED_SERVICE. + This fixes the GSSAPI-enabled build on NetBSD 6 Beta. + +# CHANGES +* On systems where SSLv2_client_method isn't defined in OpenSSL (such as + newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't + reference it (to fix the build) and if configured, print a run-time error + that the OS does not support SSLv2. Fixes Debian Bug #622054, + but note that that bug report has a more thorough patch that does away with + SSLv2 altogether. + +* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now + under the more relaxed CC BY-ND 3.0 license (the noncommercial clause + was dropped). The Creative Commons address was updated. + +* The Python-related Makefile.am parts were simplified to avoid an automake + 1.11.X bug around noinst_PYTHON, Automake Bug #10995. + +* Configuring fetchmail without SSL now triggers a configure warning, + and asks the user to consider running configure --with-ssl. + +# WORKAROUND +* Some servers, notably Zimbra, return A1234 987 FETCH () in response to + a header request, in the face of message corruption. fetchmail now treats + these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat. + +* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed." + without any header in response to a header request for meeting reminder + messages (with a "meeting.ics" attachment). fetchmail now treats these as + transient errors. Report by John Connett, Patch by Sunil Shetye. + +# TRANSLATION UPDATES +* [cs] Czech, by Petr Pisar +* [de] German +* [fr] French, by Frédéric Marchal +* [ja] Japanese, by Takeshi Hamasaki +* [pl] Polish, by Jakub Bogusz +* [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you! +* [vi] Vietnamese, by Trần Ngọc Quân + + +fetchmail-6.3.21 (released 2011-08-21, 26011 LoC): + +# CRITICAL BUG FIX +* The IMAP client no longer inserts NUL bytes into the last line of a message + when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt. + As a side effect of the fix, and in order to avoid a full rewrite, fetchmail + will now CRLF-terminate the last line fetched through IMAP, even if it is + originally not terminated by LF or CRLF. This bears no relevance if your + messages end up in mbox, but adds line termination for storages (like Maildir) + that do not require that the last line be LF- or CRLF-terminated. + +# CONTRIB/ addition +* There is a patch against fetchnews's source, contrib/rawlog.patch, that can + log (and hexdump non-printing characters) raw socket data to a file. It proved + useful to debug Antoine's bug described above. + + +fetchmail-6.3.20 (released 2011-06-06, 26005 LoC): + +# SECURITY BUG FIXES +* CVE-2011-1947: + STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the + set timeout (default five minutes) now. This was reported missing, with + observed fetchmail freezes beyond a week, by Thomas Jarosch. + SSL-wrapped connections were unaffected by this timeout, so users of older + versions can force ssl-wrapped connections -- if supported by the server -- + with the --ssl command line or ssl rcfile option. + See fetchmail-SA-2011-01.txt for further details. + +# BUG FIXES +* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few + new messages and most of the range searches result in nothing. Instead, split + the long response to make the IMAP driver think that there are multiple lines + of response. (Sunil Shetye) +* Do not print "skipping message" for old messages even in verbose mode. If + there are too many old messages, the logs just get filled without any real + activity. (Sunil Shetye) (suggested by Yunfan Jiang) +* Build: fetchmail now always uses its own MD5 implementation rather than trying + to find a system library with matched header. The library and header variants + found on systems are too diverse, and the code size saving is not worth any + more wasted user or programmer time. + +# CHANGES +* Call strlen() only once when removing CRLF from a line. (Sunil Shetye) +* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that + there is no portable way to configure actual timeouts for this mode, and some + systems only support a system-wide timeout setting. fetchmail does not + attempt to tune the time spans of keepalive mode. + +# TRANSLATION UPDATES + [cs] Chech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German (Matthias Andree) + [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) + + +fetchmail-6.3.19 (released 2010-12-10, 25945 LoC): + +# ERRATUM NOTICE ISSUED +* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently + grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt. + +# BUG FIXES +* When specifying multiple local multidrop lists, do not lose wildcard flag. + (Affects "user foo is bar baz * is joe here") +* In multidrop configurations, an asterisk can now appear anywhere in the list + of local users, not just at the end. +* In multidrop mode, header parsing is now more verbose in -vv mode, so that it + becomes possible to see which header is used. +* Make --antispam work from command line (these used to work in rcfiles). + Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye) +* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML + documents. Skip validating Mailbox-Names-UTF7.html. Several systems have + broken XHTML 1.1 DTD installations that jeopardize the build. + Reported by Mihail Nechkin against FreeBSD port. + Workaround for 6.3.18: build in a separate directory, i. e: + mkdir build && cd build && ../configure --options-go-here +* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye) +* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R. + and Derek Simkowiak via the fetchmail-users@ mailing list. +* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the + server capabilities do not show support for upgradation to TLS. + To use this, configure --sslproto tls1. (Sunil Shetye) +* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by + Yasin Malli to fetchmail-users@ 2010-12-10. + Note that fetchmail continues to expect literals as FETCH response for now. + +# DOCUMENTATION +* The manual page now links to IANA for GSSAPI service names. + +# TRANSLATION UPDATES + [cs] Czech (Petr Pisar) + [fr] French (Frédéric Marchal) + [de] German + [it] Italian (Vincenzo Campanella) + [pl] Polish (Jakub Bogusz) + + +fetchmail-6.3.18 (released 2010-10-09, 25936 LoC): # SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE * Fetchmail now only accepts wildcard certificate common names and subject @@ -61,20 +355,34 @@ fetchmail-6.3.18 (not yet released): * Fetchmail now disallows wildcards in certificates to match domain literals (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23"). The test is overly picky and triggers if the pattern (after skipping the - initial wildcard "*") or domain consist solely of digits and dots and matches - more than needed. + initial wildcard "*") or domain consists solely of digits and dots, and thus + matches more than needed. * Fetchmail now disallows wildcarding top-level domains. -# BUG FIXES -* Fetchmail would warn about insecure SSL/TLS connections even if a matching - --sslfingerprint was specified. This is an omission from an SSL usability - change made in 6.3.17. Fixes Debian Bug#580796 reported by Roland Stigge. +# CRITICAL BUG FIXES AND REGRESSION FIXES * Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5* functions, as an effect of an undocumented Solaris MD5 fix. - This fails if, for instance, libmd5.so was installed on other operating - systems as part of libwww on machines where long isn't 32-bits. Fixes Gentoo - Bug #319283, reported - including the hint to libwww - by Karl Hakimian. + This caused all MD5-related functions to malfunction if, for instance, + libmd5.so was installed on other operating systems as part of libwww on + machines where long isn't 32-bits, i. e. usually on 64-bit computers. + Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian. Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5. +* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching + --sslfingerprint was specified. This is an omission from an SSL usability + change made in 6.3.17. + Fixes Debian Bug#580796 reported by Roland Stigge. +* Fetchmail will now apply timeouts to the authentication stage. + This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3. + Reported missing by Thomas Jarosch. +* Fetchmail now cancels GSSAPI authentication properly when encountering GSS + errors, such as no or unsuitable credentials. + It now sends an asterisk on a line by its own, as required in SASL. + This fixes protocol synchronization issues that cause Authentication + failures, often observed with kerberized MS Exchange servers. + Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the + fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart. + +# BUG FIXES * Fetchmail will no longer print connection attempts and errors for one host in "silent" and "normal" logging modes, unless all connections fail. This should reduce irritation around refused-connection logging if services are @@ -82,37 +390,35 @@ fetchmail-6.3.18 (not yet released): connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25 then - silently - succeeds. Fetchmail, unless in verbose mode, will collect all connect errors and only report them if all of them fail. -* Fetchmail will now apply timeouts to the authentication stage. This stage - encompasses STARTTLS/STLS negotiation in IMAP/POP3. - Reported missing by Thomas Jarosch. -* Fetchmail will not try GSSAPI authentication automatically unless it has GSS - credentials. This avoids getting servers such as Exchange 2007 wedged if - GSSAPI authentication fails. Reported by Patrick Rynhart, Debian Bug #568455, - and Alan Murrell, to the fetchmail-users list. +* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS + credentials. However, if GSSAPI authentication is requested explicitly, + fetchmail will always try it. * Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n RFC822.HEADER" in a more flexible manner. (Sunil Shetye) +* The manual page clearly states that --principal is for Kerberos 4 only, not + for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann. # CHANGES * When encountering incorrect headers, fetchmail will refer to the bad-header - option in the manpage. BerliOS Bug #17272, change suggested by Björn Voigt. + option in the manpage. + Fixes BerliOS Bug #17272, change suggested by Björn Voigt. * Fetchmail now decodes and reports GSSAPI status codes upon errors. +* Fetchmail now autoprobes NTLM also for POP3. +* The Fetchmail FAQ has a new item #R15 on authentication failures. -# KNOWN BUGS AND WORKAROUNDS: - (this section floats upwards through the NEWS file so it stays with the - current release information - however, it was stuck with 6.3.8 for a while) -* fetchmail does not handle messages without Message-ID header well - (See sourceforge.net bug #780933) -* BSMTP is mostly untested and errors can cause corrupt output. -* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in - 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit - fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, - so compiling 32-bit SPARC code should not cause any difficulties. -* fetchmail does not track pending deletes over crashes -* the command line interface is sometimes a bit stubborn, for instance, - fetchmail -s doesn't work with a daemon running -* Linux may return duplicates of an IP address in some circumstances if no or - no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, - Novell Bug#606980.) +# INTERNAL CHANGES +* The common NTLM authentication code was factored out from pop3.c and imap.c. + +# TRANSLATION UPDATES + [zh_CN] Chinese/simplified (Ji Zheng-Yu) + [cs] Czech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German + [it] Italian (Vincenzo Campanella) + [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):