--------------------------------------------------------------------------------
-fetchmail-6.3.20 (not yet released):
+fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):
# SECURITY BUG FIXES
* CVE-2011-1947:
- Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the set timeout
- (default five minutes) now. This was reported missing, from fetchmail freezes
- beyond a week, by Thomas Jarosch.
+ STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
+ set timeout (default five minutes) now. This was reported missing, with
+ observed fetchmail freezes beyond a week, by Thomas Jarosch.
SSL-wrapped connections were unaffected by this timeout, so users of older
versions can force ssl-wrapped connections -- if supported by the server --
with the --ssl command line or ssl rcfile option.
See fetchmail-SA-2011-01.txt for further details.
# BUG FIXES
-* Do not search for UNSEEN messages in ranges. Usually, there are very few new
- messages and most of the range searches result in nothing. Instead, split the
- long response to make the IMAP driver think that there are multiple lines of
- response. (Sunil Shetye)
+* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
+ new messages and most of the range searches result in nothing. Instead, split
+ the long response to make the IMAP driver think that there are multiple lines
+ of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
there are too many old messages, the logs just get filled without any real
activity. (Sunil Shetye) (suggested by Yunfan Jiang)
+* Build: fetchmail now always uses its own MD5 implementation rather than trying
+ to find a system library with matched header. The library and header variants
+ found on systems are too diverse, and the code size saving is not worth any
+ more wasted user or programmer time.
# CHANGES
-* fetchmail now always uses its own MD5 implementation. The library and header
- variants are too diverse, and we've been bitten before -- and configure
- complains noisily on Cyrus-SASL's RFC1321 md5.h.
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
there is no portable way to configure actual timeouts for this mode, and some
- systems only support a system-wide timeout setting. Thus, fetchmail does not
+ systems only support a system-wide timeout setting. fetchmail does not
attempt to tune the time spans of keepalive mode.
# TRANSLATION UPDATES
[cs] Chech (Petr Pisar)
+ [nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German (Matthias Andree)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
+ [sk] Slovak (Marcel Telka)
+
+# KNOWN BUGS AND WORKAROUNDS
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information - however, it was stuck with 6.3.8 for a while)
+* fetchmail does not handle messages without Message-ID header well
+ (See sourceforge.net bug #780933)
+* BSMTP is mostly untested and errors can cause corrupt output.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail does not track pending deletes over crashes.
+* the command line interface is sometimes a bit stubborn, for instance,
+ fetchmail -s doesn't work with a daemon running.
+* Linux systems may return duplicates of an IP address in some circumstances if
+ no or no global IPv6 addresses are configured.
+ (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
+* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
+ messages. This will not be fixed, because the maintainer has no Kerberos 5
+ server to test against. Use GSSAPI.
fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):
[it] Italian (Vincenzo Campanella)
[pl] Polish (Jakub Bogusz)
-# KNOWN BUGS AND WORKAROUNDS
- (this section floats upwards through the NEWS file so it stays with the
- current release information - however, it was stuck with 6.3.8 for a while)
-* fetchmail does not handle messages without Message-ID header well
- (See sourceforge.net bug #780933)
-* BSMTP is mostly untested and errors can cause corrupt output.
-* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
- 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
- fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
- so compiling 32-bit SPARC code should not cause any difficulties.
-* fetchmail does not track pending deletes over crashes.
-* the command line interface is sometimes a bit stubborn, for instance,
- fetchmail -s doesn't work with a daemon running.
-* Linux systems may return duplicates of an IP address in some circumstances if
- no or no global IPv6 addresses are configured.
- (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
-* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
- messages. This will not be fixed, because the maintainer has no Kerberos 5
- server to test against. Use GSSAPI.
-
fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):
fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode
-Topics: Denial of service in STARTTLS protocol phases
+Topics: fetchmail denial of service in STARTTLS protocol phases
Author: Matthias Andree
-Version: XXX
-Announced: XXX
+Version: 1.0
+Announced: 2011-06-06
Type: Unguarded blocking I/O can cause indefinite application hang
Impact: Denial of service
Danger: low
Acknowledgment: Thomas Jarosch for sending detailed report
CVE Name: CVE-2011-1947
-CVSSv2:
-CVSS scores:
+CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
+CVSS scores: 4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL: http://www.fetchmail.info/
2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)
- pending fetchmail 6.3.20 release tarball
+ 2011-06-06 fetchmail 6.3.20 release tarball
0. Release history
==================
2011-05-30 0.1 first draft (visible in Git and through oss-security)
+2011-06-06 1.0 release
1. Background
3. Solution
===========
-Install fetchmail 6.3.20 or newer after it will have become available.
-(Note that the announcements may be publicly visible quite some time
-before the release is made, particularly for minor bugs.)
+Install fetchmail 6.3.20 or newer.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued. Several such
-(long-standing) bugs were fixed through recent releases.
+(long-standing) bugs were fixed through recent releases, and an erratum
+notice for SASL authentication was issued.
Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
interface incompatibly.
-There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases!
-
4. Workaround
=============
-A. If supported by the server's configuration, fetchmail can be run in
+If supported by the server's configuration, fetchmail can be run in
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).
- It is generally advisable to use --sslcertck to enable SSL
-certificate validation.
-B. If the operating system supports setting all TCP sockets to keepalive
-mode by default, and possibly lowering the delay until keepalive probes
-start, enabling this configuration can protect against hangs through
-silently broken connections, but not against a malicious server.
+It is generally also advisable to enforce SSL certificate validation, by
+either using --sslcertck on the command line, or using sslcertck in a
+"default" configuration entry of the rcfile, or using sslcertck in
+each of the relevant individual poll descriptions of the rcfile.
A. Copyright, License and Non-Warranty
projects / ~andy / fetchmail / commitdiff