Reviewed-by: Peter Müller > - Update from version 6.4.19 to 6.4.32 > - Update of rootfile not required > - Changelog - range of security and bug fixes > fetchmail-6.4.32 (released 2022-07-30, 31696 LoC): > # FIXES: > * Use configure to find rst2html, some systems install it only with .py suffix, > others only without, and some install both. > * Update README.maintainer > # TRANSLATIONS: language translations were updated by these fine people: > (in alphabetical order of language codes so as not to prefer people): > * cs: Petr Pisar [Czech] > * es: Cristian Othón Martínez Vera [Spanish] > * ja: Takeshi Hamasaki [Japanese] > * pl: Jakub Bogusz [Polish] > * ro: Remus-Gabriel Chelu [Romanian] > * sq: Besnik Bleta [Albanian] > * sv: Göran Uddeborg [Swedish] > fetchmail-6.4.31 (released 2022-07-16, 31694 LoC): > # BUG FIXES: > * Try to fix ./configure --with-ssl=... for systems that have multiple OpenSSL > versions installed. Issues reported by Dennis Putnam. > * The netrc parser now reports its errors to syslog or logfile when appropriate, > previously it would always log to stderr. > * Add error checking to .netrc parser. > # CHANGES: > * manpage: use .UR/.UE macros instead of .URL for URIs. > * manpage: fix contractions. Found with FreeBSD's igor tool. > * manpage: HTML now built with pandoc -> python-docutils > (manServer.pl was dropped) > fetchmail-6.4.30 (released 2022-04-26, 31666 LoC): > # BREAKING CHANGES: > * Bump wolfSSL minimum required version to 5.2.0 to pull in security fix. > # CHANGES: > * Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning. > * Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning. > * configure.ac was tweaked in order to hopefully fix cross-compilation issues > report, and different patch suggested, by Fabrice Fontaine, > https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42 > # TRANSLATIONS: language translations were updated by this fine person: > * ro: Remus-Gabriel Chelu [Romanian] > fetchmail-6.4.29 (released 2022-03-20, 31661 LoC): > # TRANSLATIONS: language translations were updated by this fine person: > * vi: Trần Ngọc Quân [Vietnamese] > fetchmail-6.4.28 (released 2022-03-05, 31661 LoC): > # DOCUMENTATION: > * Fix a typo in the manual page, courtesy of Jeremy Petch. > # TRANSLATIONS: language translations were updated by this fine person: > * es: Cristian Othón Martínez Vera [Spanish] > fetchmail-6.4.27 (released 2022-01-26, 31661 LoC): > # BREAKING CHANGES: > * Bump wolfSSL minimum required version to 5.1.1 to pull in security fix. > # TRANSLATIONS: language translations were updated by this fine person: > * ro: Remus-Gabriel Chelu [Romanian] > fetchmail-6.4.26 (released 2021-12-26, 31661 LoC): > # FIXES: > * When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when > receiving handshake records while still in SSL_peek(). Workaround is to read > 1 byte and cache it, then call SSL_peek() again. > This affects only some servers. https://github.com/wolfSSL/wolfssl/issues/4593 > # TRANSLATIONS: language translations were updated by this fine person: > * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] > fetchmail-6.4.25 (released 2021-12-10, 31653 LoC): > # BREAKING CHANGES: > * Since distributions continue patching for LibreSSL use, which cannot be > linked legally, block out LibreSSL in configure.ac and socket.c, and > refer to COPYING, unless on OpenBSD (which ships it in the base system). > OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updated, do > re-read COPYING, INSTALL, README, README.packaging, README.SSL. > * Bump OpenSSL version requirement to 1.0.2f in order to safely remove > the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and > older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is > publicly available from https://www.openssl.org/source/old/1.0.2/ > * Some of the configure.ac fiddling MIGHT have broken cross-compilation > again. The maintainer does not test cross-compiling fetchmail; if you > have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path > containing your target/host libraries, or see if --with-ssl-prefix or > --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help. > Feedback solicited on compliant systems that are before end-of-life. > # BUG FIXES: > * 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag > contained a typo and would not kick in properly. > * Library and/or rpath setting from configure.ac was fixed. > # ADDITIONS: > * Added an example systemd unit file and instructions to contrib/systemd/ > which runs fetchmail as a daemon with 5-minute poll intervals. > Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464. > * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, > see INSTALL and README.SSL. This is considered experimental. > Feedback solicited. > # CHANGES: > * The getstats.py dist-tool now counts lines of .ac and .am files. > * ./configure --with-ssl now supports pkg-config module names, too. See INSTALL. > # TRANSLATIONS: language translations were updated by these fine people: > (in reverse alphabetical order of language codes so as not to prefer people): > * sv: Göran Uddeborg [Swedish] > * sq: Besnik Bleta [Albanian] > * pl: Jakub Bogusz [Polish] > * ja: Takeshi Hamasaki [Japanese] > * fr: Frédéric Marchal [French] > * eo: Keith Bowes [Esperanto] > * cs: Petr Pisar [Czech] > fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): > # OPENSSL AND LICENSING NOTE: > > see fetchmail-6.4.22 below, and the file COPYING. > Note that distribution of packages linked with LibreSSL is not feasible > due to a missing GPLv2 clause 2(b) exception. > # COMPATIBILITY: > * Bison 3.8 dropped yytoknum altogether, breaking compilation due to a > warning workaround. Remove the cast of yytoknum to void. This may cause > a compiler warning to reappear with older Bison versions. > * OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3 > certificate in its trust store because OpenSSL by default prefers the > untrusted certificate and fails. Fetchmail now sets the > X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only). > This is workaround #2 from the OpenSSL Blog. For details, see both: > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library > is kept up to date by a distributor or via OpenSSL support contract. > Where this is not the case, please upgrade to a supported OpenSSL version. > # DOCUMENTATION: > * The manual page was revised after re-checking with mandoc -Tlint, aspell, > igor. Some more revisions were made for clarity. > # TRANSLATIONS: language translations were updated by these fine people: > * sv: Göran Uddeborg [Swedish] > * pl: Jakub Bogusz [Polish] > * fr: Frédéric Marchal [French] > * cs: Petr Pisar [Czech] > * eo: Keith Bowes [Esperanto] > * ja: Takeshi Hamasaki [Japanese] > fetchmail-6.4.23 (released 2021-10-31, 30206 LoC): > # USABILITY: > * For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin > - no matter its contents - and that set auth ssh), change the STARTTLS > error message to suggest sslproto '' instead. > This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22. > Fixes Redhat Bugzilla 2008160. Fixes GitLab #39. > # TRANSLATIONS: language translations were updated by these fine people: > * ja: Takeshi Hamasaki [Japanese] > * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] > fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): > # OPENSSL AND LICENSING NOTE: > * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. > OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay > license to Apache License v2.0, which is considered incompatible with GPL v2 > by the FSF. For implications and details, see the file COPYING. > # SECURITY FIXES: > * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and > with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when > the server or an attacker sends a PREAUTH greeting, fetchmail used to continue > an unencrypted connection. Now, log the error and abort the connection. > --Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on > a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile. > --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why > TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email > Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian > Schinzel. The paper did not mention fetchmail. > * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS > negotiation. > * On IMAP connections, fetchmail does not permit overriding a server-side > LOGINDISABLED with --auth password any more. > * On POP3 connections, the possibility for RPA authentication (by probing with > an AUTH command without arguments) no longer prevents STARTTLS negotiation. > * For POP3 connections, only attempt RPA if the authentication type is "any". > # BUG FIXES: > * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the > tagged (= final) response, do not send "*". > * On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send > a "=" for protocol compliance. > * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server > advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4 > has not supported and does not support the separate challenge/response with > command continuation) > * On IMAP connections, when --auth external is requested but not advertised by > the server, log a proper error message. > * Fetchmail no longer crashes when attempting a connection with --plugin "" or > --plugout "". > * Fetchmail no longer leaks memory when processing the arguments of --plugin or > --plugout on connections. > * On POP3 connections, the CAPAbilities parser is now caseblind. > * Fix segfault on configurations with "defaults ... no envelope". Reported by > Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3 > and happened when plugging memory leaks, which did not account for that the > envelope parameter is special when set as "no envelope". The segfault happens > in a constant strlen(-1), triggered by trusted local input => no vulnerability. > * Fix program abort (SIGABRT) with "internal error" when invalid sslproto is > given with OpenSSL 1.1.0 API compatible SSL implementations. > # CHANGES: > * IMAP: When fetchmail is in not-authenticated state and the server volunteers > CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail > must and will re-probe explicitly.) > * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option > do not match, emit a warning and continue. Closes Gitlab #31. > (cherry-picked from 6.5 beta branch "legacy_6x") > * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997 > recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer, > placing --sslproto tls1.2+ more prominently. > The defaults shall not change between 6.4.X releases for compatibility. > # TRANSLATIONS: language translations were updated by these fine people: > * sq: Besnik Bleta [Albanian] > * cs: Petr Pisar [Czech] > * eo: Keith Bowes [Esperanto] > * fr: Frédéric Marchal [French] > * pl: Jakub Bogusz [Polish] > * sv: Göran Uddeborg [Swedish] > fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): > # REGRESSION FIX: > * The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of > messages logged to buffered outputs, from --logfile and --syslog. > This also caused lines in the logfile to run into one another because > the fragment containing the '\n' line-end character was usually lost. > Reason is that on all modern systems (with header and vsnprintf() > interface), the length of log message fragments was added up twice, so > that these ended too deep into a freshly allocated buffer, after the '\0' > byte. Unbuffered outputs flushed the fragments right away, which masked the > bug. > fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): > # SECURITY FIX: > * When a log message exceeds c. 2 kByte in size, for instance, with very long > header contents, and depending on verbosity option, fetchmail can crash or > misreport each first log message that requires a buffer reallocation. > fetchmail then reallocates memory and re-runs vsnprintf() without another > call to va_start(), so it reads garbage. The exact impact depends on > many factors around the compiler and operating system configurations used and > the implementation details of the stdarg.h interfaces of the two functions > mentioned before. To fix CVE-2021-36386. > > Signed-off-by: Adolf Belka > --- > lfs/fetchmail | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lfs/fetchmail b/lfs/fetchmail > index 00ee6a634..6a4860e32 100644 > --- a/lfs/fetchmail > +++ b/lfs/fetchmail > @@ -26,7 +26,7 @@ include Config > > SUMMARY = Full-Featured POP and IMAP Mail Retrieval Daemon > > -VER = 6.4.19 > +VER = 6.4.32 > > THISAPP = fetchmail-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = fetchmail > -PAK_VER = 11 > +PAK_VER = 12 > > DEPS = > > @@ -48,7 +48,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 679d2c49698dd368d32439a8276412e3f32c0a0f6f0e7607bc323c0294c987307469451b4b085fe521f2d5dd4869d59b4841762b6a57b3c654b992e9de8ba87c > +$(DL_FILE)_BLAKE2 = 5d6311c46053abc2e5b040273f04d9df5e737dcd938d1370bcd84415e422ec6a05126ecb59efcad9254e37338671cf7bfa224ea1015b83e8e93483cbeb033b7a > > install : $(TARGET) >