Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Matthias Andree <matthias.andree <at> gmx.de>
Subject: fetchmail 6.3.20 security fix release
Newsgroups: gmane.mail.fetchmail.announce
Date: Monday 6th June 2011 13:19:39 UTC (over 5 years ago)
The 6.3.20 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail>.

The source archive is available at:
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=18583>

Here are the release notes:

fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):

# SECURITY BUG FIXES
* CVE-2011-1947:
  STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with
the
  set timeout (default five minutes) now. This was reported missing, with
  observed fetchmail freezes beyond a week, by Thomas Jarosch.
     SSL-wrapped connections were unaffected by this timeout, so users of
older
  versions can force ssl-wrapped connections -- if supported by the server
--
  with the --ssl command line or ssl rcfile option.
  See fetchmail-SA-2011-01.txt for further details.

# BUG FIXES
* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are
very few
  new messages and most of the range searches result in nothing. Instead,
split
  the long response to make the IMAP driver think that there are multiple
lines
  of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
  there are too many old messages, the logs just get filled without any
real
  activity. (Sunil Shetye) (suggested by Yunfan Jiang)
* Build: fetchmail now always uses its own MD5 implementation rather than
trying
  to find a system library with matched header. The library and header
variants
  found on systems are too diverse, and the code size saving is not worth
any
  more wasted user or programmer time.

# CHANGES
* Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
* fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
  there is no portable way to configure actual timeouts for this mode, and
some
  systems only support a system-wide timeout setting. fetchmail does not
  attempt to tune the time spans of keepalive mode.

# TRANSLATION UPDATES
  [cs]    Chech (Petr Pisar)
  [nl]    Dutch (Erwin Poeze)
  [fr]    French (Frédéric Marchal)
  [de]    German (Matthias Andree)
  [ja]    Japanese (Takeshi Hamasaki)
  [pl]    Polish (Jakub Bogusz)
  [sk]    Slovak (Marcel Telka)

# KNOWN BUGS AND WORKAROUNDS
  (this section floats upwards through the NEWS file so it stays with the
  current release information - however, it was stuck with 6.3.8 for a
while)
* fetchmail does not handle messages without Message-ID header well
  (See sourceforge.net bug #780933)
* BSMTP is mostly untested and errors can cause corrupt output.
* Sun Workshop 6 (SPARC) is known to miscompile the configuration file
lexer in
  64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
  fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
  so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail does not track pending deletes over crashes.
* the command line interface is sometimes a bit stubborn, for instance,
  fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some
circumstances if
  no or no global IPv6 addresses are configured.
  (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus
error
  messages. This will not be fixed, because the maintainer has no Kerberos
5
  server to test against. Use GSSAPI.


By popular demand, diffs from the previous release have been omitted.
 
CD: 3ms