X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=NEWS;h=748a5e8954f897b808d9c0072c33a46c97e90654;hb=e75c62b234a699557c023970466a8accd0b5a7b2;hp=cddbbcb044c3bd916524cf3b2cf1b0d966f66a73;hpb=e9c99cb0a353ed18bd7c6ea6e93ec2fea326bbb4;p=~andy%2Ffetchmail diff --git a/NEWS b/NEWS index cddbbcb0..748a5e89 100644 --- a/NEWS +++ b/NEWS @@ -19,6 +19,8 @@ removed from a 6.4.0 or newer release.) * The monitor and interface options may be removed from a future fetchmail version as they are not reasonably portable across operating systems. * POP2 is obsolete, support will be removed from a future fetchmail version. +* IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a + future fetchmail version. * RPOP is obsolete, support will be removed from a future fetchmail release. * --sslcertck will become a default setting in a future fetchmail version. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor @@ -35,6 +37,8 @@ removed from a 6.4.0 or newer release.) * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. * Kerberos IV support may be removed from a future fetchmail release. +* Kerberos 5 support may be removed from a future fetchmail release. +* The --principal option may be removed from a future fetchmail release. * SIGHUP wakeup support may be removed from a future fetchmail release and cause fetchmail to terminate - it was broken for many years. * Support for operating systems that are not sufficiently POSIX compliant may be @@ -45,10 +49,351 @@ removed from a 6.4.0 or newer release.) requirements (dependencies), such as Boost or other class libraries. * The softbounce option default will change to "false" in the next release. * The --bsmtp - mode of operation may be removed in a future release. +* Given that OpenSSL is severely underdocumented, and needs license exceptions, + fetchmail may switch to a different SSL library. +* SSLv2 support will be removed from a future fetchmail release. It has been + obsolete for more than a decade. -------------------------------------------------------------------------------- -fetchmail 6.3.15 (not yet released): +fetchmail-6.3.22 (not yet released): + +# SECURITY FIXES +* for CVE-2012-3482: + NTLM: fetchmail mistook an error message that the server sent in response to + an NTLM request for protocol exchange, tried to decode it, and crashed while + reading from a bad memory location. + Also, with a carefully crafted NTLM challenge packet sent from the server, it + would be possible that fetchmail conveyed confidential data not meant for the + server through the NTLM response packet. + Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort + NTLM authentication in case of error. + See fetchmail-SA-2012-02.txt for further details. + Reported by J. Porter Clark. + +* for CVE-2011-3389: + SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure + against a certain kind of attack against cipher block chaining initialization + vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). + Whether this creates an exploitable situation, depends on the server and the + negotiated ciphers. + As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. + + NOTE that this can cause connections to certain non-conforming servers to + fail, in which case you can set the environment variable + FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting + fetchmail to re-instate the compatibility option at the expense of security. + + Reported by Apple Product Security. + + For technical details, refer to . + See fetchmail-SA-2012-01.txt for further details. + +# BUG FIX +* The Server certificate: message in verbose mode now appears on stdout like the + remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807. + +# CHANGES +* On systems where SSLv2_client_method isn't defined in OpenSSL (such as + newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't + reference it (to fix the build) and if configured, print a run-time error + that the OS does not support SSLv2. Fixes Debian Bug #622054, + but note that that bug report has a more thorough patch that does away with + SSLv2 altogether. + +* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now + under the more relaxed CC BY-ND 3.0 license (the noncommercial clause + was dropped). The Creative Commons address was updated. + +# WORKAROUND +* Some servers, notably Zimbra, return A1234 987 FETCH () in response to + a header request, in the face of message corruption. fetchmail now treats + these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat. + +* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed." + without any header in response to a header request for meeting reminder + messages (with a "meeting.ics" attachment). fetchmail now treats these as + transient errors. Report by John Connett, Patch by Sunil Shetye. + +# TRANSLATION UPDATES +* New Swedish [sv] translation, courtesy of Göran Uddeborg. + + +fetchmail-6.3.21 (released 2011-08-21, 26011 LoC): + +# CRITICAL BUG FIX +* The IMAP client no longer inserts NUL bytes into the last line of a message + when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt. + As a side effect of the fix, and in order to avoid a full rewrite, fetchmail + will now CRLF-terminate the last line fetched through IMAP, even if it is + originally not terminated by LF or CRLF. This bears no relevance if your + messages end up in mbox, but adds line termination for storages (like Maildir) + that do not require that the last line be LF- or CRLF-terminated. + +# CONTRIB/ addition +* There is a patch against fetchnews's source, contrib/rawlog.patch, that can + log (and hexdump non-printing characters) raw socket data to a file. It proved + useful to debug Antoine's bug described above. + + +fetchmail-6.3.20 (released 2011-06-06, 26005 LoC): + +# SECURITY BUG FIXES +* CVE-2011-1947: + STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the + set timeout (default five minutes) now. This was reported missing, with + observed fetchmail freezes beyond a week, by Thomas Jarosch. + SSL-wrapped connections were unaffected by this timeout, so users of older + versions can force ssl-wrapped connections -- if supported by the server -- + with the --ssl command line or ssl rcfile option. + See fetchmail-SA-2011-01.txt for further details. + +# BUG FIXES +* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few + new messages and most of the range searches result in nothing. Instead, split + the long response to make the IMAP driver think that there are multiple lines + of response. (Sunil Shetye) +* Do not print "skipping message" for old messages even in verbose mode. If + there are too many old messages, the logs just get filled without any real + activity. (Sunil Shetye) (suggested by Yunfan Jiang) +* Build: fetchmail now always uses its own MD5 implementation rather than trying + to find a system library with matched header. The library and header variants + found on systems are too diverse, and the code size saving is not worth any + more wasted user or programmer time. + +# CHANGES +* Call strlen() only once when removing CRLF from a line. (Sunil Shetye) +* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that + there is no portable way to configure actual timeouts for this mode, and some + systems only support a system-wide timeout setting. fetchmail does not + attempt to tune the time spans of keepalive mode. + +# TRANSLATION UPDATES + [cs] Chech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German (Matthias Andree) + [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) + +# KNOWN BUGS AND WORKAROUNDS + (this section floats upwards through the NEWS file so it stays with the + current release information - however, it was stuck with 6.3.8 for a while) +* fetchmail does not handle messages without Message-ID header well + (See sourceforge.net bug #780933) +* BSMTP is mostly untested and errors can cause corrupt output. +* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in + 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit + fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, + so compiling 32-bit SPARC code should not cause any difficulties. +* fetchmail does not track pending deletes over crashes. +* the command line interface is sometimes a bit stubborn, for instance, + fetchmail -s doesn't work with a daemon running. +* Linux systems may return duplicates of an IP address in some circumstances if + no or no global IPv6 addresses are configured. + (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) +* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error + messages. This will not be fixed, because the maintainer has no Kerberos 5 + server to test against. Use GSSAPI. + + +fetchmail-6.3.19 (released 2010-12-10, 25945 LoC): + +# ERRATUM NOTICE ISSUED +* fetchmail 6.3.18 contains several bug fixes that were considered sufficiently + grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt. + +# BUG FIXES +* When specifying multiple local multidrop lists, do not lose wildcard flag. + (Affects "user foo is bar baz * is joe here") +* In multidrop configurations, an asterisk can now appear anywhere in the list + of local users, not just at the end. +* In multidrop mode, header parsing is now more verbose in -vv mode, so that it + becomes possible to see which header is used. +* Make --antispam work from command line (these used to work in rcfiles). + Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye) +* Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML + documents. Skip validating Mailbox-Names-UTF7.html. Several systems have + broken XHTML 1.1 DTD installations that jeopardize the build. + Reported by Mihail Nechkin against FreeBSD port. + Workaround for 6.3.18: build in a separate directory, i. e: + mkdir build && cd build && ../configure --options-go-here +* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye) +* Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R. + and Derek Simkowiak via the fetchmail-users@ mailing list. +* Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the + server capabilities do not show support for upgradation to TLS. + To use this, configure --sslproto tls1. (Sunil Shetye) +* IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by + Yasin Malli to fetchmail-users@ 2010-12-10. + Note that fetchmail continues to expect literals as FETCH response for now. + +# DOCUMENTATION +* The manual page now links to IANA for GSSAPI service names. + +# TRANSLATION UPDATES + [cs] Czech (Petr Pisar) + [fr] French (Frédéric Marchal) + [de] German + [it] Italian (Vincenzo Campanella) + [pl] Polish (Jakub Bogusz) + + +fetchmail-6.3.18 (released 2010-10-09, 25936 LoC): + +# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE +* Fetchmail now only accepts wildcard certificate common names and subject + alternative names if they start with "*.". Previous versions would accept + wildcards even if no period followed immediately. +* Fetchmail now disallows wildcards in certificates to match domain literals + (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23"). + The test is overly picky and triggers if the pattern (after skipping the + initial wildcard "*") or domain consists solely of digits and dots, and thus + matches more than needed. +* Fetchmail now disallows wildcarding top-level domains. + +# CRITICAL BUG FIXES AND REGRESSION FIXES +* Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5* + functions, as an effect of an undocumented Solaris MD5 fix. + This caused all MD5-related functions to malfunction if, for instance, + libmd5.so was installed on other operating systems as part of libwww on + machines where long isn't 32-bits, i. e. usually on 64-bit computers. + Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian. + Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5. +* Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching + --sslfingerprint was specified. This is an omission from an SSL usability + change made in 6.3.17. + Fixes Debian Bug#580796 reported by Roland Stigge. +* Fetchmail will now apply timeouts to the authentication stage. + This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3. + Reported missing by Thomas Jarosch. +* Fetchmail now cancels GSSAPI authentication properly when encountering GSS + errors, such as no or unsuitable credentials. + It now sends an asterisk on a line by its own, as required in SASL. + This fixes protocol synchronization issues that cause Authentication + failures, often observed with kerberized MS Exchange servers. + Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the + fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart. + +# BUG FIXES +* Fetchmail will no longer print connection attempts and errors for one host + in "silent" and "normal" logging modes, unless all connections fail. This + should reduce irritation around refused-connection logging if services are + only on an IPv4 socket if the host also supports IPv6. Often observed as + connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25 + then - silently - succeeds. Fetchmail, unless in verbose mode, will collect + all connect errors and only report them if all of them fail. +* Fetchmail will not try GSSAPI authentication automatically, unless it has GSS + credentials. However, if GSSAPI authentication is requested explicitly, + fetchmail will always try it. +* Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n + RFC822.HEADER" in a more flexible manner. (Sunil Shetye) +* The manual page clearly states that --principal is for Kerberos 4 only, not + for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann. + +# CHANGES +* When encountering incorrect headers, fetchmail will refer to the bad-header + option in the manpage. + Fixes BerliOS Bug #17272, change suggested by Björn Voigt. +* Fetchmail now decodes and reports GSSAPI status codes upon errors. +* Fetchmail now autoprobes NTLM also for POP3. +* The Fetchmail FAQ has a new item #R15 on authentication failures. + +# INTERNAL CHANGES +* The common NTLM authentication code was factored out from pop3.c and imap.c. + +# TRANSLATION UPDATES + [zh_CN] Chinese/simplified (Ji Zheng-Yu) + [cs] Czech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German + [it] Italian (Vincenzo Campanella) + [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) + + +fetchmail-6.3.17 (released 2010-05-06, 25767 LoC): + +# SECURITY FIX +* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize + external input (mail headers and UID). When a multi-character locale (such as + UTF-8) was in use, this could cause memory exhaustion and thus a denial of + service, because fetchmail's report.c functions assumed that non-success of + [v]snprintf was due to insufficient buffer size allocation. It would then + repeatedly reallocate a larger buffer and fail formatting again. + See fetchmail-SA-2010-02.txt. + +# FEATURES +* Fetchmail now supports a --sslcertfile option to specify a "CA bundle" + file (a file that contains trusted CA certificates). Since these bundled CA + files do not require c_rehash to be run, they are easier to use and immune to + OpenSSL library updates that affect the hash function. +* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS + environment variable to force loading the default SSL CA certificate + locations even if --sslcertfile or --sslcertpath is used. + If neither option is in effect, fetchmail loads the default locations. + +# REGRESSION FIX +* Fix string handling in rcfile scanner, which caused fetchmail to misparse a + run control file in certain circumstances. Fixes BerliOS bug #14257. + Patch by Michael Banack. This fixes a regression introduced before 6.3.0. + +# BUG FIXES +* Plug memory leak when using a "defaults" entry in the run control file. +* Do not print SSL certificate mismatches unless verbose or --sslcertck is + enabled. +* Do not lose "set invisible" in fetchmailconf. (Michael Barnack) + +# CHANGES +* Usability: SSL certificate chains are fully printed in -v -v mode, and there + are now helpful pointers to --sslcertpath and c_rehash for "unable to get + local issuer certificate" and self-signed certificates -- these usually hint + to missing root signing CAs in the certs directory. +* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings +* Memory allocation failures will now cause abnormal program abort (SIGABRT), + no longer an exit with unspecified code. +* Print a warning if certificate verification failed and the user did not + specify --sslcertck. + +# DOCUMENTATION +* Fix table of global option to read "set softbounce" where there used to be a + 2nd copy of "set spambounce". Patch by Michael Banack, BerliOS Bug #17067. +* In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X + to 1.0.0 upgrade in particular) may require running c_rehash. + +# TRANSLATION UPDATES + [zh_CN] Chinese/simplified (Ji Zheng-Yu) + [cs] Czech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German + [id] Indonesian (Andhika Padmawan) + [it] Italian (Vincenzo Campanella) + [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) + [vi] Vietnamese (Clytie Siddall) + + +fetchmail-6.3.16 (released 2010-04-06, 25574 LoC): + +# BUG FIX +* Fix --interface option, broken in 6.3.15. Reported by Vladmimir Stavrinov. + Fixes Debian Bug #576717. + +# CHANGE +* Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory + and non-standard algorithms in certificates. + Sjoerd Simons, to fix Debian Bug #576430. + OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default. + Reported as OpenSSL RT#2224. + + +fetchmail-6.3.15 (released 2010-03-28, 25572 LoC): # FEATURE * Fetchmail now supports a bad-header command line or rcfile option that takes @@ -79,7 +424,9 @@ fetchmail 6.3.15 (not yet released): GnuPG-signed tags, as a sign that these are now closed. * The outdated SVN trunk is now called "oldtrunk" in Git just to save the work for future reference. All development in the past few years was on BRANCH_6-3. -* master was branched from BRANCH_6-3 for user convenience. +* master was branched from BRANCH_6-3. BRANCH_6-3 is now obsolete (and in fact + was also converted to a tag to record where the conversion from SVN to Git + took place). * "make check" now skips HTML validation if xmllint or XHTML DTD are missing. # DOCUMENTATION @@ -370,7 +717,8 @@ fetchmail 6.3.9 (released 2008-11-16): res_search() and dn_skipname() are only used together and scheduled for removal in future versions, so this is probably fine. * No longer complain about invalid sslproto "" when POP3 CAPA probe fails. - Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson). + Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson), + Red Hat Bug#503881. Thanks to Matthias Strauß for a configuration to reproduce the issue. * Allow .fetchmailrc and .fetchids to be symlinks, as the manpage does not document they aren't allowed - fixes Debian Bug #452907 (Roger Leigh). @@ -520,23 +868,6 @@ fetchmail 6.3.8 (released 2007-04-06): a MySQL/Tcl-based client-side "delete-after" feature. Kindly donated by Yoo GmbH, Großvoigtsberg, Germany (Carsten Ralle). -# KNOWN BUGS AND WORKAROUNDS: - (this section floats upwards through the NEWS file so it stays with the - current release information) -* fetchmail does not handle messages without Message-ID header well - (See sourceforge.net bug #780933) -* BSMTP is mostly untested and errors can cause corrupt output. -* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in - 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit - fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, - so compiling 32-bit SPARC code should not cause any difficulties. -* fetchmail does not track pending deletes over crashes -* the command line interface is a bit narrow-minded sometimes, for instance, - fetchmail -s doesn't work with a running daemon -* some of the logging output is not very helpful -* some of the documentation is still not up to date - - fetchmail 6.3.7 (released 2007-02-18):