* The --bsmtp - mode of operation may be removed in a future release.
* Given that OpenSSL is severely underdocumented, and needs license exceptions,
fetchmail may switch to a different SSL library.
+* SSLv2 support will be removed from a future fetchmail release. It has been
+ obsolete for more than a decade.
--------------------------------------------------------------------------------
+fetchmail-6.3.22 (not yet released):
+
+# SECURITY FIXES
+* CVE-2012-(not yet assigned):
+ NTLM: fetchmail mistook an error message that the server sent in response to
+ an NTLM request for protocol exchange, tried to decode it, and crashed while
+ reading from a bad memory location.
+ Fix: Detect base64 decoding errors and abort NTLM authentication.
+ See fetchmail-SA-2012-02.txt for further details.
+ Reported by J. Porter Clark.
+
+* CVE-2011-3389:
+ SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
+ against a certain kind of attack against cipher block chaining initialization
+ vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
+ Whether this creates an exploitable situation, depends on the server and the
+ negotiated ciphers.
+ As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
+
+ NOTE that this can cause connections to certain non-conforming servers to
+ fail, in which case you can set the environment variable
+ FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting
+ fetchmail to re-instate the compatibility option at the expense of security.
+
+ Reported by Apple Product Security.
+
+ For technical details, refer to <http://www.openssl.org/~bodo/tls-cbc.txt>.
+ See fetchmail-SA-2012-01.txt for further details.
+
+# BUG FIX
+* The Server certificate: message in verbose mode now appears on stdout like the
+ remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807.
+
+# CHANGES
+* On systems where SSLv2_client_method isn't defined in OpenSSL (such as
+ newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
+ reference it (to fix the build) and if configured, print a run-time error
+ that the OS does not support SSLv2. Fixes Debian Bug #622054,
+ but note that that bug report has a more thorough patch that does away with
+ SSLv2 altogether.
+
+* The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
+ under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
+ was dropped). The Creative Commons address was updated.
+
+# WORKAROUND
+* Some servers, notably Zimbra, return A1234 987 FETCH () in response to
+ a header request, in the face of message corruption. fetchmail now treats
+ these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
+
+* Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed."
+ without any header in response to a header request for meeting reminder
+ messages (with a "meeting.ics" attachment). fetchmail now treats these as
+ transient errors. Report by John Connett, Patch by Sunil Shetye.
+
+# TRANSLATION UPDATES
+* New Swedish [sv] translation, courtesy of Göran Uddeborg.
+
+
+fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):
+
+# CRITICAL BUG FIX
+* The IMAP client no longer inserts NUL bytes into the last line of a message
+ when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt.
+ As a side effect of the fix, and in order to avoid a full rewrite, fetchmail
+ will now CRLF-terminate the last line fetched through IMAP, even if it is
+ originally not terminated by LF or CRLF. This bears no relevance if your
+ messages end up in mbox, but adds line termination for storages (like Maildir)
+ that do not require that the last line be LF- or CRLF-terminated.
+
+# CONTRIB/ addition
+* There is a patch against fetchnews's source, contrib/rawlog.patch, that can
+ log (and hexdump non-printing characters) raw socket data to a file. It proved
+ useful to debug Antoine's bug described above.
+
+
+fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
+
+# SECURITY BUG FIXES
+* CVE-2011-1947:
+ STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
+ set timeout (default five minutes) now. This was reported missing, with
+ observed fetchmail freezes beyond a week, by Thomas Jarosch.
+ SSL-wrapped connections were unaffected by this timeout, so users of older
+ versions can force ssl-wrapped connections -- if supported by the server --
+ with the --ssl command line or ssl rcfile option.
+ See fetchmail-SA-2011-01.txt for further details.
+
+# BUG FIXES
+* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
+ new messages and most of the range searches result in nothing. Instead, split
+ the long response to make the IMAP driver think that there are multiple lines
+ of response. (Sunil Shetye)
+* Do not print "skipping message" for old messages even in verbose mode. If
+ there are too many old messages, the logs just get filled without any real
+ activity. (Sunil Shetye) (suggested by Yunfan Jiang)
+* Build: fetchmail now always uses its own MD5 implementation rather than trying
+ to find a system library with matched header. The library and header variants
+ found on systems are too diverse, and the code size saving is not worth any
+ more wasted user or programmer time.
+
+# CHANGES
+* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
+* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
+ there is no portable way to configure actual timeouts for this mode, and some
+ systems only support a system-wide timeout setting. fetchmail does not
+ attempt to tune the time spans of keepalive mode.
+
+# TRANSLATION UPDATES
+ [cs] Chech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
+ [fr] French (Frédéric Marchal)
+ [de] German (Matthias Andree)
+ [ja] Japanese (Takeshi Hamasaki)
+ [pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+# KNOWN BUGS AND WORKAROUNDS
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information - however, it was stuck with 6.3.8 for a while)
+* fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail does not track pending deletes over crashes.
+* the command line interface is sometimes a bit stubborn, for instance,
+ fetchmail -s doesn't work with a daemon running.
+* Linux systems may return duplicates of an IP address in some circumstances if
+ no or no global IPv6 addresses are configured.
+ (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
+* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
+ messages. This will not be fixed, because the maintainer has no Kerberos 5
+ server to test against. Use GSSAPI.
+
+
fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
# ERRATUM NOTICE ISSUED
[it] Italian (Vincenzo Campanella)
[pl] Polish (Jakub Bogusz)
-# KNOWN BUGS AND WORKAROUNDS
- (this section floats upwards through the NEWS file so it stays with the
- current release information - however, it was stuck with 6.3.8 for a while)
-* fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
- 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
- fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
- so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail does not track pending deletes over crashes.
-* the command line interface is sometimes a bit stubborn, for instance,
- fetchmail -s doesn't work with a daemon running.
-* Linux systems may return duplicates of an IP address in some circumstances if
- no or no global IPv6 addresses are configured.
- (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
-* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
- messages. This will not be fixed, because the maintainer has no Kerberos 5
- server to test against. Use GSSAPI.
-
fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):