diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 9 |
1 files changed, 9 insertions, 0 deletions
@@ -88,6 +88,10 @@ fetchmail-6.4.0 (not yet released): in favour of another configuration option that makes the insecurity in using this option clearer. +## SECURITY FIXES +* Fetchmail prevents buffer overruns in GSSAPI authentication with user names + beyond c. 6000 characters in length. Reported by Greg Hudson. + ## CHANGES * fetchmail 6.3.X is unsupported. * fetchmail now requires OpenSSL v1.0.2 or newer. @@ -124,6 +128,11 @@ fetchmail-6.4.0 (not yet released): or that #define OPENSSL_NO_SSL3 inside #include <openssl/ssl.h> Related to Debian Bug#775255. Fixes Debian Bug #804604. * Version report lists -SSLv3 on SSL-enabled no-ssl3 builds. +* Fetchmail no longer adds a NUL byte to the username in GSSAPI authentication. + This was reported to break Kerberos-based authentication with Microsoft + Exchange 2013 by Greg Hudson. +* Set umask properly before writing the .fetchids file, to avoid failing the + security check on the next run. Reported by Fabian Raab, Debian Bug#831611. # KNOWN BUGS AND WORKAROUNDS (This section floats upwards through the NEWS file so it stays with the |