X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=NEWS;h=8d719deab4e9dd9b501cdb9ab38f3e5c8b410146;hb=b49043f4af0069e2e85c19be7586f3617893e37c;hp=86657c135caab49797bce462d553528f7e56c6ea;hpb=6fdb9350ecdfd0dc7f65975ac9b4d6ba00161b19;p=~andy%2Ffetchmail diff --git a/NEWS b/NEWS index 86657c13..8d719dea 100644 --- a/NEWS +++ b/NEWS @@ -51,32 +51,162 @@ removed from a 6.4.0 or newer release.) * The --bsmtp - mode of operation may be removed in a future release. * Given that OpenSSL is severely underdocumented, and needs license exceptions, fetchmail may switch to a different SSL library. +* SSLv2 support will be removed from a future fetchmail release. It has been + obsolete for more than a decade. -------------------------------------------------------------------------------- -fetchmail-6.3.20 (not yet released): +fetchmail-6.3.22 (not yet released): + +# SECURITY FIXES +* for CVE-2012-3482: + NTLM: fetchmail mistook an error message that the server sent in response to + an NTLM request for protocol exchange, tried to decode it, and crashed while + reading from a bad memory location. + Also, with a carefully crafted NTLM challenge packet sent from the server, it + would be possible that fetchmail conveyed confidential data not meant for the + server through the NTLM response packet. + Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort + NTLM authentication in case of error. + See fetchmail-SA-2012-02.txt for further details. + Reported by J. Porter Clark. + +* for CVE-2011-3389: + SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure + against a certain kind of attack against cipher block chaining initialization + vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). + Whether this creates an exploitable situation, depends on the server and the + negotiated ciphers. + As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. + + NOTE that this can cause connections to certain non-conforming servers to + fail, in which case you can set the environment variable + FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting + fetchmail to re-instate the compatibility option at the expense of security. + + Reported by Apple Product Security. + + For technical details, refer to . + See fetchmail-SA-2012-01.txt for further details. + +# BUG FIX +* The Server certificate: message in verbose mode now appears on stdout like the + remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807. + +* The GSSAPI-related autoconf code now matches gssapi.c better, and uses + a different check to look for GSS_C_NT_HOSTBASED_SERVICE. + This fixes the GSSAPI-enabled build on NetBSD 6 Beta. # CHANGES -* fetchmail no longer supports SSL v2, nor the corresponding SSL2 option to - --sslproto. SSLv2 is insecure and had been deprecated 15 years ago. fetchmail - will actively forbid SSLv2 negotiation by means of SSL_OP_NO_SSLv2. - To fix Debian Bug#622054. -* fetchmail now always uses its own MD5 implementation. The library and header - variants are too diverse, and we've been bitten before -- and configure - complains noisily on Cyrus-SASL's RFC1321 md5.h. -* fetchmail now supports an environment variable to suppress marking deleted - messages as seen at the same time, FETCHMAIL_IMAP_DELETED_REMAINS_UNSEEN. - See the manual page for details. Requested by Jonathan Buschmann. +* On systems where SSLv2_client_method isn't defined in OpenSSL (such as + newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't + reference it (to fix the build) and if configured, print a run-time error + that the OS does not support SSLv2. Fixes Debian Bug #622054, + but note that that bug report has a more thorough patch that does away with + SSLv2 altogether. + +* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now + under the more relaxed CC BY-ND 3.0 license (the noncommercial clause + was dropped). The Creative Commons address was updated. + +* The Python-related Makefile.am parts were simplified to avoid an automake + 1.11.X bug around noinst_PYTHON, Automake Bug #10995. + +* Configuring fetchmail without SSL now triggers a configure warning, + and asks the user to consider running configure --with-ssl. + +# WORKAROUND +* Some servers, notably Zimbra, return A1234 987 FETCH () in response to + a header request, in the face of message corruption. fetchmail now treats + these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat. + +* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed." + without any header in response to a header request for meeting reminder + messages (with a "meeting.ics" attachment). fetchmail now treats these as + transient errors. Report by John Connett, Patch by Sunil Shetye. + +# TRANSLATION UPDATES +* New Swedish [sv] translation, courtesy of Göran Uddeborg. + + +fetchmail-6.3.21 (released 2011-08-21, 26011 LoC): + +# CRITICAL BUG FIX +* The IMAP client no longer inserts NUL bytes into the last line of a message + when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt. + As a side effect of the fix, and in order to avoid a full rewrite, fetchmail + will now CRLF-terminate the last line fetched through IMAP, even if it is + originally not terminated by LF or CRLF. This bears no relevance if your + messages end up in mbox, but adds line termination for storages (like Maildir) + that do not require that the last line be LF- or CRLF-terminated. + +# CONTRIB/ addition +* There is a patch against fetchnews's source, contrib/rawlog.patch, that can + log (and hexdump non-printing characters) raw socket data to a file. It proved + useful to debug Antoine's bug described above. + + +fetchmail-6.3.20 (released 2011-06-06, 26005 LoC): + +# SECURITY BUG FIXES +* CVE-2011-1947: + STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the + set timeout (default five minutes) now. This was reported missing, with + observed fetchmail freezes beyond a week, by Thomas Jarosch. + SSL-wrapped connections were unaffected by this timeout, so users of older + versions can force ssl-wrapped connections -- if supported by the server -- + with the --ssl command line or ssl rcfile option. + See fetchmail-SA-2011-01.txt for further details. # BUG FIXES +* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few + new messages and most of the range searches result in nothing. Instead, split + the long response to make the IMAP driver think that there are multiple lines + of response. (Sunil Shetye) +* Do not print "skipping message" for old messages even in verbose mode. If + there are too many old messages, the logs just get filled without any real + activity. (Sunil Shetye) (suggested by Yunfan Jiang) +* Build: fetchmail now always uses its own MD5 implementation rather than trying + to find a system library with matched header. The library and header variants + found on systems are too diverse, and the code size saving is not worth any + more wasted user or programmer time. + +# CHANGES * Call strlen() only once when removing CRLF from a line. (Sunil Shetye) -* Do not search for UNSEEN messages in ranges. Usually, there are very few new - messages and most of the range searches result in nothing. Instead, split the - long response to make the IMAP driver think that there are multiple lines of - response. (Sunil Shetye) +* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that + there is no portable way to configure actual timeouts for this mode, and some + systems only support a system-wide timeout setting. fetchmail does not + attempt to tune the time spans of keepalive mode. # TRANSLATION UPDATES + [cs] Chech (Petr Pisar) + [nl] Dutch (Erwin Poeze) + [fr] French (Frédéric Marchal) + [de] German (Matthias Andree) [ja] Japanese (Takeshi Hamasaki) + [pl] Polish (Jakub Bogusz) + [sk] Slovak (Marcel Telka) + +# KNOWN BUGS AND WORKAROUNDS + (this section floats upwards through the NEWS file so it stays with the + current release information - however, it was stuck with 6.3.8 for a while) +* fetchmail does not handle messages without Message-ID header well + (See sourceforge.net bug #780933) +* BSMTP is mostly untested and errors can cause corrupt output. +* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in + 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit + fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, + so compiling 32-bit SPARC code should not cause any difficulties. +* fetchmail does not track pending deletes over crashes. +* the command line interface is sometimes a bit stubborn, for instance, + fetchmail -s doesn't work with a daemon running. +* Linux systems may return duplicates of an IP address in some circumstances if + no or no global IPv6 addresses are configured. + (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) +* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error + messages. This will not be fixed, because the maintainer has no Kerberos 5 + server to test against. Use GSSAPI. fetchmail-6.3.19 (released 2010-12-10, 25945 LoC): @@ -120,26 +250,6 @@ fetchmail-6.3.19 (released 2010-12-10, 25945 LoC): [it] Italian (Vincenzo Campanella) [pl] Polish (Jakub Bogusz) -# KNOWN BUGS AND WORKAROUNDS - (this section floats upwards through the NEWS file so it stays with the - current release information - however, it was stuck with 6.3.8 for a while) -* fetchmail does not handle messages without Message-ID header well - (See sourceforge.net bug #780933) -* BSMTP is mostly untested and errors can cause corrupt output. -* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in - 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit - fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, - so compiling 32-bit SPARC code should not cause any difficulties. -* fetchmail does not track pending deletes over crashes. -* the command line interface is sometimes a bit stubborn, for instance, - fetchmail -s doesn't work with a daemon running. -* Linux systems may return duplicates of an IP address in some circumstances if - no or no global IPv6 addresses are configured. - (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) -* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error - messages. This will not be fixed, because the maintainer has no Kerberos 5 - server to test against. Use GSSAPI. - fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):