fetchmail-6.3.22 (not yet released):
-# SECURITY FIX
-* CVE-2011-3389:
+# SECURITY FIXES
+* for CVE-2012-3482:
+ NTLM: fetchmail mistook an error message that the server sent in response to
+ an NTLM request for protocol exchange, tried to decode it, and crashed while
+ reading from a bad memory location.
+ Also, with a carefully crafted NTLM challenge packet sent from the server, it
+ would be possible that fetchmail conveyed confidential data not meant for the
+ server through the NTLM response packet.
+ Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
+ NTLM authentication in case of error.
+ See fetchmail-SA-2012-02.txt for further details.
+ Reported by J. Porter Clark.
+
+* for CVE-2011-3389:
SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
against a certain kind of attack against cipher block chaining initialization
vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
* The Server certificate: message in verbose mode now appears on stdout like the
remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
-# CHANGE
+* The GSSAPI-related autoconf code now matches gssapi.c better, and uses
+ a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
+ This fixes the GSSAPI-enabled build on NetBSD 6 Beta.
+
+# CHANGES
* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
reference it (to fix the build) and if configured, print a run-time error
but note that that bug report has a more thorough patch that does away with
SSLv2 altogether.
+* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
+ under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
+ was dropped). The Creative Commons address was updated.
+
+* The Python-related Makefile.am parts were simplified to avoid an automake
+ 1.11.X bug around noinst_PYTHON, Automake Bug #10995.
+
+* Configuring fetchmail without SSL now triggers a configure warning,
+ and asks the user to consider running configure --with-ssl.
+
# WORKAROUND
* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
a header request, in the face of message corruption. fetchmail now treats
messages (with a "meeting.ics" attachment). fetchmail now treats these as
transient errors. Report by John Connett, Patch by Sunil Shetye.
+# TRANSLATION UPDATES
+* New Swedish [sv] translation, courtesy of Göran Uddeborg.
+
fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):