+
Fetchmail
- -ADDITIONAL FIXES FOR FETCHMAIL 6.3.8 RELEASE
-New 2008-06-17: After the fetchmail-6.3.8 release described below, -two denial-of-service vulnerabilities (CVE-2007-4565) were discovered, but a new -release is not yet available. Patches are parts of the security announcements:
- -On 2008-04-24, the FAQ (also available as PDF), manual page and fetchmail-SA-2007-01.txt (CVE-2007-1558) have been revised.
-On 2007-04-06, fetchmail-6.3.8 -was released (this is the download link), fixing up further fallout from the CVE-2006-5867 fix, fixing long-standing bugs, and strengthening the APOP client in response to CVE-2007-1558. Click here to see the change details.
FETCHMAIL 6.2.X UNSUPPORTED AND VULNERABLE - USE 6.3.X INSTEAD
-fetchmail 6.2.X versions are susceptible to CVE-2006-5867 and CVE-2007-1558 and should be replaced by the most current 6.3.X version. Support has been discontinued as of 2006-01-22.
- - +NEWS: FETCHMAIL 6.3.25 RELEASE
+On 2013-03-18, fetchmail-6.3.25
+ has been released (this is the download link), fixing a few
+ minor bugs, improving OpenSSL error reporting, and adding an
+ Esperanto-language translation. You
+ can also download from sourceforge.net by clicking here.
+
It is a recommended update for all users and distributors. Click
+ here to see the change details.
SSL issues after upgrade to OpenSSL 1.0.0?
+If your fetchmail upgrade entails an upgrade of the OpenSSL
+ library to 1.0.0, remember to re-run c_rehash
+ /path/to/certs, where the last part is whatever argument
+ you give to fetchmail's sslcertpath option. Details:
+ please see fetchmail's FAQ item
+ R14..
SECURITY ALERTS
-NEW CVE-2008-2711: Fetchmail can crash in verbose mode when logging long message headers. This bug will be fixed in release 6.3.9. For the nonce, use the patch contained in the security announcement.
-CVE-2007-4565: Fetchmail can crash when the SMTP server refuses a warning message generated by fetchmail. This bug was introduced in fetchmail 4.6.8 and will be fixed in release 6.3.9. For the nonce, use the patch contained in this security announcement.
-CVE-2007-1558: Fetchmail's APOP client was found to validate APOP challenges insufficiently, making man-in-the-middle attacks on APOP secrets unnecessarily easier than need be. This bug was long-standing, fetchmail 6.3.8 validates the APOP challenge stricter.
-CVE-2006-5974: Fetchmail was found to crash when refusing a message that was bound to be delivered by an MDA. This bug was introduced into fetchmail 6.3.5 and fixed in 6.3.6.
-CVE-2006-5867: Fetchmail was found to omit TLS or send the password in clear text despite the configuration stating otherwise. This was a long-standing bug reported by Isaac Wilcox, fixed in fetchmail 6.3.6. There will be no 6.2.X releases to fix this bug in 6.2.X.
-CVE-2006-0321: Fetchmail was found to crash after bouncing a message with bad addresses. This bug was introduced with fetchmail 6.3.0 and fixed in fetchmail 6.3.2.
-CVE-2005-4348: Fetchmail was found to contain a bug (null pointer dereference) that can be exploited to a denial of service attack when fetchmail runs in multidrop mode. 6.2.5.5 and 6.3.1 have this bug fixed.
-CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0.
-CVE-2005-2335: Fetchmail was found to contain a remotely exploitable code injection vulnerability (potentially privileged code) in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.)
+SECURITY ALERTS
+These have been moved to a separate + page (click here for security information) to unclutter the + front page. -
Please update to fetchmail version 6.3.8 and apply the two patches from the security announcements CVE-2007-4565 and CVE-2008-2711 above.
+See the project's To-Do list for indications of known problems and requested features.
-The developers use Subversion for revision control. -To get the latest development version, point your subversion client at http://mknod.org/svn/fetchmail/trunk/.
+The developers use Git for revision +control. To browse the repository or to get the latest development version, +find the instructions at http://gitorious.org/fetchmail/fetchmail.
-See the project
+ See the project
page for more, including downloads.
-(However, note that we no longer use the subversion repository that Berlios provides.)
Getting help with fetchmail:
--There is a fetchmail-users list for help and other user discussion +
Before submitting a question anywhere, please read the FAQ (especially item G3 on how to report problems). We tend to get +the same three newbie questions over and over again. The FAQ covers them like +a blanket.
+ +There is a fetchmail-users list for help and other user discussion
of fetchmail. It's a MailMan list, which you can sign up for at
-fetchmail-users@lists.berlios.de. There is also a
+fetchmail-users@lists.berlios.de.
+
There is also a
fetchmail-devel list for people who want to discuss fixes and
improvements in fetchmail and help co-develop it. That one is at
fetchmail-devel@lists.berlios.de.
-Finally, there is an announcements-only list, Finally, there is an announcements-only list,
fetchmail-announce@lists.berlios.de.
Note: before submitting a question to the lists, please read -the FAQ (especially item G3 on how to report bugs). We -tend to get the same three newbie questions over and over again. The -FAQ covers them like a blanket.
-Maintainer History
Fetchmail originated as a program called popclient, written by Carl Harris. In 1996, Eric @@ -278,8 +261,10 @@ href="http://www.steines.com/mailf/">here.
+
+
+