From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] fetchmail: Update to version 6.4.32 Date: Mon, 12 Sep 2022 09:39:34 +0000 Message-ID: <5ce022f6-0ddb-9ef3-ee43-69a7485a91f5@ipfire.org> In-Reply-To: <20220824075002.2933-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1561310913479587818==" List-Id: --===============1561310913479587818== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > - Update from version 6.4.19 to 6.4.32 > - Update of rootfile not required > - Changelog - range of security and bug fixes > fetchmail-6.4.32 (released 2022-07-30, 31696 LoC): > # FIXES: > * Use configure to find rst2html, some systems install it only with .py s= uffix, > others only without, and some install both. > * Update README.maintainer > # TRANSLATIONS: language translations were updated by these fine people: > (in alphabetical order of language codes so as not to prefer people): > * cs: Petr Pisar [Czech] > * es: Cristian Oth=C3=B3n Mart=C3=ADnez Vera [Spanish] > * ja: Takeshi Hamasaki [Japanese] > * pl: Jakub Bogusz [Polish] > * ro: Remus-Gabriel Chelu [Romanian] > * sq: Besnik Bleta [Albanian] > * sv: G=C3=B6ran Uddeborg [Swedish] > fetchmail-6.4.31 (released 2022-07-16, 31694 LoC): > # BUG FIXES: > * Try to fix ./configure --with-ssl=3D... for systems that have multiple = OpenSSL > versions installed. Issues reported by Dennis Putnam. > * The netrc parser now reports its errors to syslog or logfile when appro= priate, > previously it would always log to stderr. > * Add error checking to .netrc parser. > # CHANGES: > * manpage: use .UR/.UE macros instead of .URL for URIs. > * manpage: fix contractions. Found with FreeBSD's igor tool. > * manpage: HTML now built with pandoc -> python-docutils > (manServer.pl was dropped) > fetchmail-6.4.30 (released 2022-04-26, 31666 LoC): > # BREAKING CHANGES: > * Bump wolfSSL minimum required version to 5.2.0 to pull in security fix. > # CHANGES: > * Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning. > * Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning. > * configure.ac was tweaked in order to hopefully fix cross-compilation is= sues > report, and different patch suggested, by Fabrice Fontaine, > https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42 > # TRANSLATIONS: language translations were updated by this fine person: > * ro: Remus-Gabriel Chelu [Romanian] > fetchmail-6.4.29 (released 2022-03-20, 31661 LoC): > # TRANSLATIONS: language translations were updated by this fine person: > * vi: Tr=E1=BA=A7n Ng=E1=BB=8Dc Qu=C3=A2n [Vietnamese] > fetchmail-6.4.28 (released 2022-03-05, 31661 LoC): > # DOCUMENTATION: > * Fix a typo in the manual page, courtesy of Jeremy Petch. > # TRANSLATIONS: language translations were updated by this fine person: > * es: Cristian Oth=C3=B3n Mart=C3=ADnez Vera [Spanish] > fetchmail-6.4.27 (released 2022-01-26, 31661 LoC): > # BREAKING CHANGES: > * Bump wolfSSL minimum required version to 5.1.1 to pull in security fix. > # TRANSLATIONS: language translations were updated by this fine person: > * ro: Remus-Gabriel Chelu [Romanian] > fetchmail-6.4.26 (released 2021-12-26, 31661 LoC): > # FIXES: > * When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL= when > receiving handshake records while still in SSL_peek(). Workaround is to= read > 1 byte and cache it, then call SSL_peek() again. > This affects only some servers. https://github.com/wolfSSL/wolfssl/issu= es/4593 > # TRANSLATIONS: language translations were updated by this fine person: > * sr: =D0=9C=D0=B8=D1=80=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=9D=D0=B8=D0= =BA=D0=BE=D0=BB=D0=B8=D1=9B (Miroslav Nikoli=C4=87) [Serbian] > fetchmail-6.4.25 (released 2021-12-10, 31653 LoC): > # BREAKING CHANGES: > * Since distributions continue patching for LibreSSL use, which cannot be > linked legally, block out LibreSSL in configure.ac and socket.c, and > refer to COPYING, unless on OpenBSD (which ships it in the base system). > OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updat= ed, do > re-read COPYING, INSTALL, README, README.packaging, README.SSL. > * Bump OpenSSL version requirement to 1.0.2f in order to safely remove > the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e = and > older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is > publicly available from https://www.openssl.org/source/old/1.0.2/ > * Some of the configure.ac fiddling MIGHT have broken cross-compilation > again. The maintainer does not test cross-compiling fetchmail; if you > have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path > containing your target/host libraries, or see if --with-ssl-prefix or > --with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help. > Feedback solicited on compliant systems that are before end-of-life. > # BUG FIXES: > * 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag > contained a typo and would not kick in properly. > * Library and/or rpath setting from configure.ac was fixed. > # ADDITIONS: > * Added an example systemd unit file and instructions to contrib/systemd/ > which runs fetchmail as a daemon with 5-minute poll intervals. > Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464. > * fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer, > see INSTALL and README.SSL. This is considered experimental. > Feedback solicited. > # CHANGES: > * The getstats.py dist-tool now counts lines of .ac and .am files. > * ./configure --with-ssl now supports pkg-config module names, too. See I= NSTALL. > # TRANSLATIONS: language translations were updated by these fine people: > (in reverse alphabetical order of language codes so as not to prefer peop= le): > * sv: G=C3=B6ran Uddeborg [Swedish] > * sq: Besnik Bleta [Albanian] > * pl: Jakub Bogusz [Polish] > * ja: Takeshi Hamasaki [Japanese] > * fr: Fr=C3=A9d=C3=A9ric Marchal [French] > * eo: Keith Bowes [Esperanto] > * cs: Petr Pisar [Czech] > fetchmail-6.4.24 (released 2021-11-20, 30218 LoC): > # OPENSSL AND LICENSING NOTE: > > see fetchmail-6.4.22 below, and the file COPYING. > Note that distribution of packages linked with LibreSSL is not feasible > due to a missing GPLv2 clause 2(b) exception. > # COMPATIBILITY: > * Bison 3.8 dropped yytoknum altogether, breaking compilation due to a > warning workaround. Remove the cast of yytoknum to void. This may cause > a compiler warning to reappear with older Bison versions. > * OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA= X3 > certificate in its trust store because OpenSSL by default prefers the > untrusted certificate and fails. Fetchmail now sets the > X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only). > This is workaround #2 from the OpenSSL Blog. For details, see both: > https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL libr= ary > is kept up to date by a distributor or via OpenSSL support contract. > Where this is not the case, please upgrade to a supported OpenSSL versi= on. > # DOCUMENTATION: > * The manual page was revised after re-checking with mandoc -Tlint, aspel= l, > igor. Some more revisions were made for clarity. > # TRANSLATIONS: language translations were updated by these fine people: > * sv: G=C3=B6ran Uddeborg [Swedish] > * pl: Jakub Bogusz [Polish] > * fr: Fr=C3=A9d=C3=A9ric Marchal [French] > * cs: Petr Pisar [Czech] > * eo: Keith Bowes [Esperanto] > * ja: Takeshi Hamasaki [Japanese] > fetchmail-6.4.23 (released 2021-10-31, 30206 LoC): > # USABILITY: > * For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin > - no matter its contents - and that set auth ssh), change the STARTTLS > error message to suggest sslproto '' instead. > This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.2= 2. > Fixes Redhat Bugzilla 2008160. Fixes GitLab #39. > # TRANSLATIONS: language translations were updated by these fine people: > * ja: Takeshi Hamasaki [Japanese] > * sr: =D0=9C=D0=B8=D1=80=D0=BE=D1=81=D0=BB=D0=B0=D0=B2 =D0=9D=D0=B8=D0= =BA=D0=BE=D0=BB=D0=B8=D1=9B (Miroslav Nikoli=C4=87) [Serbian] > fetchmail-6.4.22 (released 2021-09-13, 30201 LoC): > # OPENSSL AND LICENSING NOTE: > * fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0. > OpenSSL's licensing changed between these releases from dual OpenSSL/SS= Leay > license to Apache License v2.0, which is considered incompatible with G= PL v2 > by the FSF. For implications and details, see the file COPYING. > # SECURITY FIXES: > * CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ss= l and > with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and= when > the server or an attacker sends a PREAUTH greeting, fetchmail used to c= ontinue > an unencrypted connection. Now, log the error and abort the connection. > --Recommendation for servers that support SSL/TLS-wrapped or "implicit"= mode on > a dedicated port (default 993): use --ssl, or the ssl user option in an= rcfile. > --Reported by: Andrew C. Aitchison, based on the USENIX Security 21 pap= er "Why > TLS is better without STARTTLS - A Security Analysis of STARTTLS in the= Email > Context" by Damian Poddebniak, Fabian Ising, Hanno B=C3=B6ck, and Sebas= tian > Schinzel. The paper did not mention fetchmail. > * On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS > negotiation. > * On IMAP connections, fetchmail does not permit overriding a server-side > LOGINDISABLED with --auth password any more. > * On POP3 connections, the possibility for RPA authentication (by probing= with > an AUTH command without arguments) no longer prevents STARTTLS negotiat= ion. > * For POP3 connections, only attempt RPA if the authentication type is "a= ny". > # BUG FIXES: > * On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have recei= ved the > tagged (=3D final) response, do not send "*". > * On IMAP connections, AUTHENTICATE EXTERNAL without username will proper= ly send > a "=3D" for protocol compliance. > * On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server > advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= =3D 6.4 > has not supported and does not support the separate challenge/response = with > command continuation) > * On IMAP connections, when --auth external is requested but not advertis= ed by > the server, log a proper error message. > * Fetchmail no longer crashes when attempting a connection with --plugin = "" or > --plugout "". > * Fetchmail no longer leaks memory when processing the arguments of --plu= gin or > --plugout on connections. > * On POP3 connections, the CAPAbilities parser is now caseblind. > * Fix segfault on configurations with "defaults ... no envelope". Reporte= d by > Bj=C3=B8rn Mork. Fixes Debian Bug#992400. This is a regression in fetc= hmail 6.4.3 > and happened when plugging memory leaks, which did not account for that= the > envelope parameter is special when set as "no envelope". The segfault h= appens > in a constant strlen(-1), triggered by trusted local input =3D> no vuln= erability. > * Fix program abort (SIGABRT) with "internal error" when invalid sslproto= is > given with OpenSSL 1.1.0 API compatible SSL implementations. > # CHANGES: > * IMAP: When fetchmail is in not-authenticated state and the server volun= teers > CAPABILITY information, use it and do not re-probe. (After STARTTLS, fe= tchmail > must and will re-probe explicitly.) > * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option > do not match, emit a warning and continue. Closes Gitlab #31. > (cherry-picked from 6.5 beta branch "legacy_6x") > * fetchmail.man and README.SSL were updated in line with RFC-8314/8996/89= 97 > recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newe= r, > placing --sslproto tls1.2+ more prominently. > The defaults shall not change between 6.4.X releases for compatibility. > # TRANSLATIONS: language translations were updated by these fine people: > * sq: Besnik Bleta [Albanian] > * cs: Petr Pisar [Czech] > * eo: Keith Bowes [Esperanto] > * fr: Fr=C3=A9d=C3=A9ric Marchal [French] > * pl: Jakub Bogusz [Polish] > * sv: G=C3=B6ran Uddeborg [Swedish] > fetchmail-6.4.21 (released 2021-08-09, 30042 LoC): > # REGRESSION FIX: > * The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of > messages logged to buffered outputs, from --logfile and --syslog. > This also caused lines in the logfile to run into one another because > the fragment containing the '\n' line-end character was usually lost. > Reason is that on all modern systems (with header and vsnpri= ntf() > interface), the length of log message fragments was added up twice, so > that these ended too deep into a freshly allocated buffer, after the '\= 0' > byte. Unbuffered outputs flushed the fragments right away, which maske= d the > bug. > fetchmail-6.4.20 (released 2021-07-28, 30042 LoC): > # SECURITY FIX: > * When a log message exceeds c. 2 kByte in size, for instance, with very = long > header contents, and depending on verbosity option, fetchmail can crash= or > misreport each first log message that requires a buffer reallocation. > fetchmail then reallocates memory and re-runs vsnprintf() without anoth= er > call to va_start(), so it reads garbage. The exact impact depends on > many factors around the compiler and operating system configurations us= ed and > the implementation details of the stdarg.h interfaces of the two functi= ons > mentioned before. To fix CVE-2021-36386. >=20 > Signed-off-by: Adolf Belka > --- > lfs/fetchmail | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/lfs/fetchmail b/lfs/fetchmail > index 00ee6a634..6a4860e32 100644 > --- a/lfs/fetchmail > +++ b/lfs/fetchmail > @@ -26,7 +26,7 @@ include Config > =20 > SUMMARY =3D Full-Featured POP and IMAP Mail Retrieval Daemon > =20 > -VER =3D 6.4.19 > +VER =3D 6.4.32 > =20 > THISAPP =3D fetchmail-$(VER) > DL_FILE =3D $(THISAPP).tar.xz > @@ -34,7 +34,7 @@ DL_FROM =3D $(URL_IPFIRE) > DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) > PROG =3D fetchmail > -PAK_VER =3D 11 > +PAK_VER =3D 12 > =20 > DEPS =3D > =20 > @@ -48,7 +48,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_BLAKE2 =3D 679d2c49698dd368d32439a8276412e3f32c0a0f6f0e7607bc32= 3c0294c987307469451b4b085fe521f2d5dd4869d59b4841762b6a57b3c654b992e9de8ba87c > +$(DL_FILE)_BLAKE2 =3D 5d6311c46053abc2e5b040273f04d9df5e737dcd938d1370bcd8= 4415e422ec6a05126ecb59efcad9254e37338671cf7bfa224ea1015b83e8e93483cbeb033b7a > =20 > install : $(TARGET) > =20 --===============1561310913479587818==--