diff options
| -rw-r--r-- | NEWS | 137 |
1 files changed, 73 insertions, 64 deletions
@@ -8,72 +8,76 @@ All dates are in Universal Time unless otherwise noted. Abbreviations in parentheses are the maintainers who committed the respective change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.) -# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS +# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS +(There are no plans to remove these features from a 6.3.X release, but they may +be removed from a 6.4.0 or newer release.) * The MX and host alias DNS lookups that fetchmail performs in multidrop mode - are obsolete, deprecated and may be removed from a future fetchmail version. - They have never supported IPv6 (including IPv6-mapped IPv4) anyhow. + are based on assumptions that are rarely met in practice, somewhat defective, + deprecated and may be removed from a future fetchmail version. They have + never supported IPv6 (including IPv6-mapped IPv4). Non-DNS based alias keywords such as "aka" will remain in fetchmail. * The monitor and interface options may be removed from a future fetchmail - version as they are not sufficiently portable. -* POP2 is obsolete. - Support for POP2 may be removed from a future fetchmail version. -* RPOP is obsolete, support may be removed from a future fetchmail release. -* --sslcertck may become a default setting in a future fetchmail version. + version as they are not reasonably portable. +* POP2 is obsolete, support will be removed from a future fetchmail version. +* RPOP is obsolete, support will be removed from a future fetchmail release. +* --sslcertck will become a default setting in a future fetchmail version. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release. * The "envelope Received" option may be removed from a future release, because the Received header was never meant to be machine-readable, the format varies widely, and various other differences in behavior make parsing Received an - unreliable undertaking. The enveloper option as such will remain though, in + unreliable undertaking. The envelope option as such will remain though, in order to support Delivered-To, X-Envelope-To, X-Original-To and similar. See also <http://home.pages.de/~mandree/mail/multidrop>. -* The --enable-fallback (fall back to MDA if MTA unavailable) may be removed - from a future fetchmail release. +* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed + from a future fetchmail release, because it makes fetchmail's behavior + inconsistent and confusing. * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. * Kerberos IV support may be removed from a future fetchmail release. -* SIGHUP wakeup may be removed from a future fetchmail release and cause it - to terminate. +* SIGHUP wakeup support may be removed from a future fetchmail release and + cause fetchmail to terminate - it was broken for many years. * Support for operating systems that are not sufficiently POSIX compliant may be removed or operation on such systems may be suboptimal for future releases. -------------------------------------------------------------------------------- -fetchmail 6.3.6 (not yet released): +fetchmail 6.3.6 (released 2007-01-04): -# SECURITY FIXES (CHANGE BEHAVIOUR): +# SECURITY FIXES: * CVE-2006-5867, fetchmail-SA-2006-02.txt: - Password disclosure vulnerability. This has several aspects: + Password disclosure vulnerability fixed. This has several aspects: - Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck - options are used, but ssl is not, to be sure that there is a certificate to - check against. + options are used and the ssl option is not used, in order to be sure that + fetchmail gets a certificate from the mail server. - Fetchmail breaks the connection if the TLS negotiation (or verification, if - requested) fails with sslproto 'tls1' (also applies if this is implicit). + requested) fails with sslproto 'tls1', sslfingerprint or sslcheck enabled. - - POP3 connections ignored STLS altogether in many circumstances, because - fetchmail did not probe server capabilities for all values of "auth" - see - fetchmail-SA-2006-02.txt for details. + - POP3 connections now use STLS reliably. They used to ignore STLS altogether + for serveral values of the "auth" option, when fetchmail forget to probe + server capabilities - see fetchmail-SA-2006-02.txt for details. - - POP3 connections could retry USER/PASS authentication even if strong - challenge-response schemes such as CRAM-MD5 had explicitly been requested, - if these were not advertised in the CAPA response. + - POP3 connections will no longer fall back USER/PASS authentication if + strong challenge-response authenticators such as CRAM-MD5 are configured + but the server does not advertise these in its CAPA response. - POP2 is obsolete and does not support STLS or anything beyond password-based - authentication. The attempt to use STLS or strong authenticators causes + authentication. The attempt to use STLS or strong authenticators now causes connection abort. - Configurations using --ssl --sslcertck however have been semi-safe in that - they would not expose the password over the wire. + Configurations using both ssl and sslcertck however have been semi-safe in + that they would send the password in the clear. The USER/PASS fallback + problem however applies to these too, so that the password was only change on + trustworthy servers. -# SECURITY FIX: * CVE-2006-5974, fetchmail-SA-2006-03.txt: - Repair regression in 6.3.5 that crashes fetchmail when a message with invalid - headers is found while fetchmail's mda option is in use. BerliOS bugs #9364, - #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks. + Repairs a regression in 6.3.5 that crashes fetchmail when a message with + invalid headers is found while fetchmail's mda option is in use. BerliOS bugs + #9364, #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks. -# REGRESSION FIXES: +# REGRESSION FIXES (recently introduced bugs) * Repair --logfile, broken in 6.3.5. BerliOS Bug #9059, reported by Brian Harring. * Repair --user, broken in 6.3.5 (as a side effect of the authenticate external @@ -82,32 +86,33 @@ fetchmail 6.3.6 (not yet released): name. Debian Bug #400950, reported by Jorgen Schaefer <forcer@debian.org>. # BUG FIXES (long-standing bugs): -* POP3: Probe capabilities when Kerberos V5 is enabled so that we can actually - try to use it. -* RPOP: The password is now shrouded in the local logs. -* Robustness: If a stale lockfile cannot be deleted, truncate it to avoid - trouble later if the PID is recycled by a non-fetchmail process. -* Detect /etc/resolv.conf changes: On systems that have res_search(), assume we - also have res_init() and call it (suggested by Ulrich Drepper, glibc bug - #3675) in order to make libc or libresolv reread the resolver configuration at - the beginning of a poll cycle. This is important when fetchmail is in daemon - mode and /etc/resolv.conf is changed later by dhcpcd, dhclient, pppd, openvpn - or other ip-up/ipchange scripts. Should fix Debian Bug#389270, Bug#391698. -* Fix crash on systems that do not provide strdup(), the crash happens only in - out-of-memory conditions when fetchmail cannot proceed anyways. Patch by - Andreas Krennmair. -* When HOME and FETCHMAILHOME are unset, be sure to copy user database - information, so it is not trashed later. Patch by Jim Correia. +* RPOP: used to log the password locally rather than an asterisk as the other + protocols do. The password is now shrouded in the local logs. +* POP3: Probes capabilities now when Kerberos V5 is enabled, so that we can + actually detect if the server supports it. +* Robustness: If a stale lockfile cannot be deleted, truncate it so that + fetchmail doesn't later believe itself to be running if the PID is recycled + by a non-fetchmail process. +* DNS: Detect /etc/resolv.conf changes: On systems that have res_search(), + assume we also have res_init() and call it (suggested by Ulrich Drepper, + glibc bug #3675) in order to make libc or libresolv reread the resolver + configuration at the beginning of a poll cycle. This is important when + fetchmail is in daemon mode and /etc/resolv.conf is changed later by dhcpcd, + dhclient, pppd, openvpn or other ip-up/ipchange scripts. Should fix Debian + Bug#389270, Bug#391698. +* Robustness: Fix crash on systems that do not provide strdup(), the crash + happens only in out-of-memory conditions when fetchmail cannot proceed + anyways. Patch by Andreas Krennmair. +* Robustness: When HOME and FETCHMAILHOME are unset, be sure to copy user + database information, so it is not trashed later. Patch by Jim Correia. # CHANGES: -* Remove excess no-op strcpy() after strdup() found by Andreas Krennmair. -* Remove handling for PS_TRUNCATED (code 27), which was never returned. -* Improve handling of IMAP IDLE, some servers do not reset their time counters - after sending information asynchronously. Patch by Sunil Shetye, after report - from Andrew Baumann. -* When requesting Kerberos V4, V5 or GSSAPI, complain and exit with syntax error - if any of these requested features has not been compiled in. This is to fail - early and with precise error message. Reported by Isaac Wilcox. +* Workaround: Improve handling of IMAP IDLE, some servers do not reset their + time counters after sending information asynchronously. Patch by Sunil + Shetye, after report from Andrew Baumann. +* Usability: When requesting Kerberos or GSSAPI, complain and exit with syntax + error if any of these requested features has not been compiled in. This is + to fail early and with precise error message. Reported by Isaac Wilcox. * --version will now add +KRB4 or +KRB5 if Kerberos v4 or v5, respectively, have been compiled in. Reported missing by Isaac Wilcox. @@ -115,6 +120,9 @@ fetchmail 6.3.6 (not yet released): * New en_GB (British English) translation by David Lodge. * Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel Maryanov) and Vietnamese (Clytie Siddall) translations. +! Note that not all these translations are complete -- this isn't the + translators' fault though, but due to delays at the BerliOS hosting site and + the translation project handlers. You may see a few untranslated messages. # DOCUMENTATION: * Dropped exit status 15 from manual page, it's not used by fetchmail. @@ -122,15 +130,16 @@ fetchmail 6.3.6 (not yet released): * Documented exit codes 24 - 29 as internal. # KNOWN BUGS AND WORKAROUNDS: - (this section floats upwards through the NEWS to be on top of the list) + (this section floats upwards through the NEWS file so it stays with the + current release information) * fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) -* Sun Workshop 6 (SPARC) is known to miscompile the lexer in 64-bit mode. - Either compile 32-bit code or use GCC to compile 64-bit fetchmail. - Note that fetchmail doesn't take advantage of 64-bit code anyways, - so compiling 32-bit SPARC code should be fine. -* fetchmail expects Received: headers in a particular format when parsing - envelopes. +* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in + 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit + fetchmail. Note that fetchmail doesn't take advantage of 64-bit code, + so compiling 32-bit SPARC code should not cause any difficulties. +* fetchmail expects Received: headers in a particular, but undocumented, format + when parsing envelopes. * fetchmail does not track pending deletes over crashes * the command line interface is a bit narrow-minded sometimes, for instance, fetchmail -s doesn't work with a running daemon |