Re: [PATCH] fetchmail: Update to version 6.4.32

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 15147 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from version 6.4.19 to 6.4.32
> - Update of rootfile not required
> - Changelog - range of security and bug fixes
>     fetchmail-6.4.32 (released 2022-07-30, 31696 LoC):
> 	# FIXES:
> 		* Use configure to find rst2html, some systems install it only with .py suffix,
> 		  others only without, and some install both.
> 		* Update README.maintainer
> 	# TRANSLATIONS: language translations were updated by these fine people:
> 		(in alphabetical order of language codes so as not to prefer people):
> 		* cs:    Petr Pisar [Czech]
> 		* es:    Cristian Othón Martínez Vera [Spanish]
> 		* ja:    Takeshi Hamasaki [Japanese]
> 		* pl:    Jakub Bogusz [Polish]
> 		* ro:    Remus-Gabriel Chelu [Romanian]
> 		* sq:    Besnik Bleta [Albanian]
> 		* sv:    Göran Uddeborg [Swedish]
>     fetchmail-6.4.31 (released 2022-07-16, 31694 LoC):
> 	# BUG FIXES:
> 		* Try to fix ./configure --with-ssl=... for systems that have multiple OpenSSL
> 		  versions installed.  Issues reported by Dennis Putnam.
> 		* The netrc parser now reports its errors to syslog or logfile when appropriate,
> 		  previously it would always log to stderr.
> 		* Add error checking to .netrc parser.
> 	# CHANGES:
> 		* manpage: use .UR/.UE macros instead of .URL for URIs.
> 		* manpage: fix contractions. Found with FreeBSD's igor tool.
> 		* manpage: HTML now built with pandoc -> python-docutils
> 		  (manServer.pl was dropped)
>     fetchmail-6.4.30 (released 2022-04-26, 31666 LoC):
> 	# BREAKING CHANGES:
> 		* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
> 	# CHANGES:
> 		* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
> 		* Using OpenSSL 3.* before 3.0.2  elicits a compile-time warning.
> 		* configure.ac was tweaked in order to hopefully fix cross-compilation issues
> 		  report, and different patch suggested, by Fabrice Fontaine,
> 		  https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42
> 	# TRANSLATIONS: language translations were updated by this fine person:
> 		* ro:    Remus-Gabriel Chelu [Romanian]
>     fetchmail-6.4.29 (released 2022-03-20, 31661 LoC):
> 	# TRANSLATIONS: language translations were updated by this fine person:
> 		* vi:    Trần Ngọc Quân [Vietnamese]
>     fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):
> 	# DOCUMENTATION:
> 		* Fix a typo in the manual page, courtesy of Jeremy Petch.
> 	# TRANSLATIONS: language translations were updated by this fine person:
> 		* es:    Cristian Othón Martínez Vera [Spanish]
>     fetchmail-6.4.27 (released 2022-01-26, 31661 LoC):
> 	# BREAKING CHANGES:
> 		* Bump wolfSSL minimum required version to 5.1.1 to pull in security fix.
> 	# TRANSLATIONS: language translations were updated by this fine person:
> 		* ro:    Remus-Gabriel Chelu [Romanian]
>     fetchmail-6.4.26 (released 2021-12-26, 31661 LoC):
> 	# FIXES:
> 		* When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when
> 		  receiving handshake records while still in SSL_peek(). Workaround is to read
> 		  1 byte and cache it, then call SSL_peek() again.
> 		  This affects only some servers. https://github.com/wolfSSL/wolfssl/issues/4593
> 	# TRANSLATIONS: language translations were updated by this fine person:
> 		* sr:    Мирослав Николић (Miroslav Nikolić) [Serbian]
>     fetchmail-6.4.25 (released 2021-12-10, 31653 LoC):
> 	# BREAKING CHANGES:
> 		* Since distributions continue patching for LibreSSL use, which cannot be
> 		  linked legally, block out LibreSSL in configure.ac and socket.c, and
> 		  refer to COPYING, unless on OpenBSD (which ships it in the base system).
> 		  OpenSSL and wolfSSL 5 can be used.  SSL-related documentation was updated, do
> 		  re-read COPYING, INSTALL, README, README.packaging, README.SSL.
> 		* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
> 		  the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and
> 		  older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is
> 		  publicly available from https://www.openssl.org/source/old/1.0.2/
> 		* Some of the configure.ac fiddling MIGHT have broken cross-compilation
> 		  again. The maintainer does not test cross-compiling fetchmail; if you
> 		  have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
> 		  containing your target/host libraries, or see if --with-ssl-prefix or
> 		  --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
> 		  Feedback solicited on compliant systems that are before end-of-life.
> 	# BUG FIXES:
> 		* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
> 		  contained a typo and would not kick in properly.
> 		* Library and/or rpath setting from configure.ac was fixed.
> 	# ADDITIONS:
> 		* Added an example systemd unit file and instructions to contrib/systemd/
> 		  which runs fetchmail as a daemon with 5-minute poll intervals.
> 		  Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.
> 		* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
> 		  see INSTALL and README.SSL. This is considered experimental.
> 		  Feedback solicited.
> 	# CHANGES:
> 		* The getstats.py dist-tool now counts lines of .ac and .am files.
> 		* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.
> 	# TRANSLATIONS: language translations were updated by these fine people:
> 		(in reverse alphabetical order of language codes so as not to prefer people):
> 		* sv:    Göran Uddeborg [Swedish]
> 		* sq:    Besnik Bleta [Albanian]
> 		* pl:    Jakub Bogusz [Polish]
> 		* ja:    Takeshi Hamasaki [Japanese]
> 		* fr:    Frédéric Marchal [French]
> 		* eo:    Keith Bowes [Esperanto]
> 		* cs:    Petr Pisar [Czech]
>     fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
> 	# OPENSSL AND LICENSING NOTE:
> 		> see fetchmail-6.4.22 below, and the file COPYING.
> 		  Note that distribution of packages linked with LibreSSL is not feasible
> 		  due to a missing GPLv2 clause 2(b) exception.
> 	# COMPATIBILITY:
> 		* Bison 3.8 dropped yytoknum altogether, breaking compilation due to a
> 		  warning workaround. Remove the cast of yytoknum to void.  This may cause
> 		  a compiler warning to reappear with older Bison versions.
> 		* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3
> 		  certificate in its trust store because OpenSSL by default prefers the
> 		  untrusted certificate and fails.  Fetchmail now sets the
> 		  X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only).
> 		  This is workaround #2 from the OpenSSL Blog.  For details, see both:
> 		  https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
> 		  https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
> 		  NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library
> 		  is kept up to date by a distributor or via OpenSSL support contract.
> 		  Where this is not the case, please upgrade to a supported OpenSSL version.
> 	# DOCUMENTATION:
> 		* The manual page was revised after re-checking with mandoc -Tlint, aspell,
> 		  igor. Some more revisions were made for clarity.
> 	# TRANSLATIONS: language translations were updated by these fine people:
> 		* sv:    Göran Uddeborg [Swedish]
> 		* pl:    Jakub Bogusz [Polish]
> 		* fr:    Frédéric Marchal [French]
> 		* cs:    Petr Pisar [Czech]
> 		* eo:    Keith Bowes [Esperanto]
> 		* ja:    Takeshi Hamasaki [Japanese]
>     fetchmail-6.4.23 (released 2021-10-31, 30206 LoC):
> 	# USABILITY:
> 		* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
> 		  - no matter its contents - and that set auth ssh), change the STARTTLS
> 		  error message to suggest sslproto '' instead.
> 		  This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
> 		  Fixes Redhat Bugzilla 2008160. Fixes GitLab #39.
> 	# TRANSLATIONS: language translations were updated by these fine people:
> 		* ja:    Takeshi Hamasaki [Japanese]
> 		* sr:	 Мирослав Николић (Miroslav Nikolić) [Serbian]
>     fetchmail-6.4.22 (released 2021-09-13, 30201 LoC):
> 	# OPENSSL AND LICENSING NOTE:
> 		* fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
> 		  OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay
> 		  license to Apache License v2.0, which is considered incompatible with GPL v2
> 		  by the FSF.  For implications and details, see the file COPYING.
> 	# SECURITY FIXES:
> 		* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and
> 		  with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when
> 		  the server or an attacker sends a PREAUTH greeting, fetchmail used to continue
> 		  an unencrypted connection.  Now, log the error and abort the connection.
> 		  --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
> 		  a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
> 		  --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why
> 		  TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email
> 		  Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian
> 		  Schinzel.  The paper did not mention fetchmail.
> 		* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS
> 		  negotiation.
> 		* On IMAP connections, fetchmail does not permit overriding a server-side
> 		  LOGINDISABLED with --auth password any more.
> 		* On POP3 connections, the possibility for RPA authentication (by probing with
> 		  an AUTH command without arguments) no longer prevents STARTTLS negotiation.
> 		* For POP3 connections, only attempt RPA if the authentication type is "any".
> 	# BUG FIXES:
> 		* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the
> 		  tagged (= final) response, do not send "*".
> 		* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send
> 		  a "=" for protocol compliance.
> 		* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server
> 		  advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4
> 		  has not supported and does not support the separate challenge/response with
> 		  command continuation)
> 		* On IMAP connections, when --auth external is requested but not advertised by
> 		  the server, log a proper error message.
> 		* Fetchmail no longer crashes when attempting a connection with --plugin "" or
> 		  --plugout "".
> 		* Fetchmail no longer leaks memory when processing the arguments of --plugin or
> 		  --plugout on connections.
> 		* On POP3 connections, the CAPAbilities parser is now caseblind.
> 		* Fix segfault on configurations with "defaults ... no envelope". Reported by
> 		  Bjørn Mork. Fixes Debian Bug#992400.  This is a regression in fetchmail 6.4.3
> 		  and happened when plugging memory leaks, which did not account for that the
> 		  envelope parameter is special when set as "no envelope". The segfault happens
> 		  in a constant strlen(-1), triggered by trusted local input => no vulnerability.
> 		* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is
> 		  given with OpenSSL 1.1.0 API compatible SSL implementations.
> 	# CHANGES:
> 		* IMAP: When fetchmail is in not-authenticated state and the server volunteers
> 		  CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail
> 		  must and will re-probe explicitly.)
> 		* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
> 		  do not match, emit a warning and continue. Closes Gitlab #31.
> 		  (cherry-picked from 6.5 beta branch "legacy_6x")
> 		* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
> 		  recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
> 		  placing --sslproto tls1.2+ more prominently.
> 		  The defaults shall not change between 6.4.X releases for compatibility.
> 	# TRANSLATIONS: language translations were updated by these fine people:
> 		* sq:    Besnik Bleta [Albanian]
> 		* cs:    Petr Pisar [Czech]
> 		* eo:    Keith Bowes [Esperanto]
> 		* fr:    Frédéric Marchal [French]
> 		* pl:    Jakub Bogusz [Polish]
> 		* sv:    Göran Uddeborg [Swedish]
>     fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
> 	# REGRESSION FIX:
> 		* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
> 		  messages logged to buffered outputs, from --logfile and --syslog.
> 		  This also caused lines in the logfile to run into one another because
> 		  the fragment containing the '\n' line-end character was usually lost.
> 		  Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
> 		  interface), the length of log message fragments was added up twice, so
> 		  that these ended too deep into a freshly allocated buffer, after the '\0'
> 		  byte.  Unbuffered outputs flushed the fragments right away, which masked the
> 		  bug.
>     fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):
> 	# SECURITY FIX:
> 		* When a log message exceeds c. 2 kByte in size, for instance, with very long
> 		  header contents, and depending on verbosity option, fetchmail can crash or
> 		  misreport each first log message that requires a buffer reallocation.
> 		  fetchmail then reallocates memory and re-runs vsnprintf() without another
> 		  call to va_start(), so it reads garbage. The exact impact depends on
> 		  many factors around the compiler and operating system configurations used and
> 		  the implementation details of the stdarg.h interfaces of the two functions
> 		  mentioned before. To fix CVE-2021-36386.
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  lfs/fetchmail | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/lfs/fetchmail b/lfs/fetchmail
> index 00ee6a634..6a4860e32 100644
> --- a/lfs/fetchmail
> +++ b/lfs/fetchmail
> @@ -26,7 +26,7 @@ include Config
>  
>  SUMMARY    = Full-Featured POP and IMAP Mail Retrieval Daemon
>  
> -VER        = 6.4.19
> +VER        = 6.4.32
>  
>  THISAPP    = fetchmail-$(VER)
>  DL_FILE    = $(THISAPP).tar.xz
> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
>  PROG       = fetchmail
> -PAK_VER    = 11
> +PAK_VER    = 12
>  
>  DEPS       =
>  
> @@ -48,7 +48,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_BLAKE2 = 679d2c49698dd368d32439a8276412e3f32c0a0f6f0e7607bc323c0294c987307469451b4b085fe521f2d5dd4869d59b4841762b6a57b3c654b992e9de8ba87c
> +$(DL_FILE)_BLAKE2 = 5d6311c46053abc2e5b040273f04d9df5e737dcd938d1370bcd84415e422ec6a05126ecb59efcad9254e37338671cf7bfa224ea1015b83e8e93483cbeb033b7a
>  
>  install : $(TARGET)
>