aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS137
1 files changed, 73 insertions, 64 deletions
diff --git a/NEWS b/NEWS
index f4717648..17ba245a 100644
--- a/NEWS
+++ b/NEWS
@@ -8,72 +8,76 @@ All dates are in Universal Time unless otherwise noted.
Abbreviations in parentheses are the maintainers who committed the respective
change. MA = Matthias Andree, ESR = Eric S. Raymond, RF = Rob Funk.)
-# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS
+# ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
+(There are no plans to remove these features from a 6.3.X release, but they may
+be removed from a 6.4.0 or newer release.)
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
- are obsolete, deprecated and may be removed from a future fetchmail version.
- They have never supported IPv6 (including IPv6-mapped IPv4) anyhow.
+ are based on assumptions that are rarely met in practice, somewhat defective,
+ deprecated and may be removed from a future fetchmail version. They have
+ never supported IPv6 (including IPv6-mapped IPv4).
Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
- version as they are not sufficiently portable.
-* POP2 is obsolete.
- Support for POP2 may be removed from a future fetchmail version.
-* RPOP is obsolete, support may be removed from a future fetchmail release.
-* --sslcertck may become a default setting in a future fetchmail version.
+ version as they are not reasonably portable.
+* POP2 is obsolete, support will be removed from a future fetchmail version.
+* RPOP is obsolete, support will be removed from a future fetchmail release.
+* --sslcertck will become a default setting in a future fetchmail version.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
the Received header was never meant to be machine-readable, the format varies
widely, and various other differences in behavior make parsing Received an
- unreliable undertaking. The enveloper option as such will remain though, in
+ unreliable undertaking. The envelope option as such will remain though, in
order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
See also <http://home.pages.de/~mandree/mail/multidrop>.
-* The --enable-fallback (fall back to MDA if MTA unavailable) may be removed
- from a future fetchmail release.
+* The --enable-fallback (fall back to MDA if MTA unavailable) will be removed
+ from a future fetchmail release, because it makes fetchmail's behavior
+ inconsistent and confusing.
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
-* SIGHUP wakeup may be removed from a future fetchmail release and cause it
- to terminate.
+* SIGHUP wakeup support may be removed from a future fetchmail release and
+ cause fetchmail to terminate - it was broken for many years.
* Support for operating systems that are not sufficiently POSIX compliant may be
removed or operation on such systems may be suboptimal for future releases.
--------------------------------------------------------------------------------
-fetchmail 6.3.6 (not yet released):
+fetchmail 6.3.6 (released 2007-01-04):
-# SECURITY FIXES (CHANGE BEHAVIOUR):
+# SECURITY FIXES:
* CVE-2006-5867, fetchmail-SA-2006-02.txt:
- Password disclosure vulnerability. This has several aspects:
+ Password disclosure vulnerability fixed. This has several aspects:
- Fetchmail now implies sslproto 'tls1' if the sslfingerprint or sslcertck
- options are used, but ssl is not, to be sure that there is a certificate to
- check against.
+ options are used and the ssl option is not used, in order to be sure that
+ fetchmail gets a certificate from the mail server.
- Fetchmail breaks the connection if the TLS negotiation (or verification, if
- requested) fails with sslproto 'tls1' (also applies if this is implicit).
+ requested) fails with sslproto 'tls1', sslfingerprint or sslcheck enabled.
- - POP3 connections ignored STLS altogether in many circumstances, because
- fetchmail did not probe server capabilities for all values of "auth" - see
- fetchmail-SA-2006-02.txt for details.
+ - POP3 connections now use STLS reliably. They used to ignore STLS altogether
+ for serveral values of the "auth" option, when fetchmail forget to probe
+ server capabilities - see fetchmail-SA-2006-02.txt for details.
- - POP3 connections could retry USER/PASS authentication even if strong
- challenge-response schemes such as CRAM-MD5 had explicitly been requested,
- if these were not advertised in the CAPA response.
+ - POP3 connections will no longer fall back USER/PASS authentication if
+ strong challenge-response authenticators such as CRAM-MD5 are configured
+ but the server does not advertise these in its CAPA response.
- POP2 is obsolete and does not support STLS or anything beyond password-based
- authentication. The attempt to use STLS or strong authenticators causes
+ authentication. The attempt to use STLS or strong authenticators now causes
connection abort.
- Configurations using --ssl --sslcertck however have been semi-safe in that
- they would not expose the password over the wire.
+ Configurations using both ssl and sslcertck however have been semi-safe in
+ that they would send the password in the clear. The USER/PASS fallback
+ problem however applies to these too, so that the password was only change on
+ trustworthy servers.
-# SECURITY FIX:
* CVE-2006-5974, fetchmail-SA-2006-03.txt:
- Repair regression in 6.3.5 that crashes fetchmail when a message with invalid
- headers is found while fetchmail's mda option is in use. BerliOS bugs #9364,
- #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
+ Repairs a regression in 6.3.5 that crashes fetchmail when a message with
+ invalid headers is found while fetchmail's mda option is in use. BerliOS bugs
+ #9364, #9412, #9449. Stack backtrace provided by Neil Hoggarth - thanks.
-# REGRESSION FIXES:
+# REGRESSION FIXES (recently introduced bugs)
* Repair --logfile, broken in 6.3.5. BerliOS Bug #9059,
reported by Brian Harring.
* Repair --user, broken in 6.3.5 (as a side effect of the authenticate external
@@ -82,32 +86,33 @@ fetchmail 6.3.6 (not yet released):
name. Debian Bug #400950, reported by Jorgen Schaefer <forcer@debian.org>.
# BUG FIXES (long-standing bugs):
-* POP3: Probe capabilities when Kerberos V5 is enabled so that we can actually
- try to use it.
-* RPOP: The password is now shrouded in the local logs.
-* Robustness: If a stale lockfile cannot be deleted, truncate it to avoid
- trouble later if the PID is recycled by a non-fetchmail process.
-* Detect /etc/resolv.conf changes: On systems that have res_search(), assume we
- also have res_init() and call it (suggested by Ulrich Drepper, glibc bug
- #3675) in order to make libc or libresolv reread the resolver configuration at
- the beginning of a poll cycle. This is important when fetchmail is in daemon
- mode and /etc/resolv.conf is changed later by dhcpcd, dhclient, pppd, openvpn
- or other ip-up/ipchange scripts. Should fix Debian Bug#389270, Bug#391698.
-* Fix crash on systems that do not provide strdup(), the crash happens only in
- out-of-memory conditions when fetchmail cannot proceed anyways. Patch by
- Andreas Krennmair.
-* When HOME and FETCHMAILHOME are unset, be sure to copy user database
- information, so it is not trashed later. Patch by Jim Correia.
+* RPOP: used to log the password locally rather than an asterisk as the other
+ protocols do. The password is now shrouded in the local logs.
+* POP3: Probes capabilities now when Kerberos V5 is enabled, so that we can
+ actually detect if the server supports it.
+* Robustness: If a stale lockfile cannot be deleted, truncate it so that
+ fetchmail doesn't later believe itself to be running if the PID is recycled
+ by a non-fetchmail process.
+* DNS: Detect /etc/resolv.conf changes: On systems that have res_search(),
+ assume we also have res_init() and call it (suggested by Ulrich Drepper,
+ glibc bug #3675) in order to make libc or libresolv reread the resolver
+ configuration at the beginning of a poll cycle. This is important when
+ fetchmail is in daemon mode and /etc/resolv.conf is changed later by dhcpcd,
+ dhclient, pppd, openvpn or other ip-up/ipchange scripts. Should fix Debian
+ Bug#389270, Bug#391698.
+* Robustness: Fix crash on systems that do not provide strdup(), the crash
+ happens only in out-of-memory conditions when fetchmail cannot proceed
+ anyways. Patch by Andreas Krennmair.
+* Robustness: When HOME and FETCHMAILHOME are unset, be sure to copy user
+ database information, so it is not trashed later. Patch by Jim Correia.
# CHANGES:
-* Remove excess no-op strcpy() after strdup() found by Andreas Krennmair.
-* Remove handling for PS_TRUNCATED (code 27), which was never returned.
-* Improve handling of IMAP IDLE, some servers do not reset their time counters
- after sending information asynchronously. Patch by Sunil Shetye, after report
- from Andrew Baumann.
-* When requesting Kerberos V4, V5 or GSSAPI, complain and exit with syntax error
- if any of these requested features has not been compiled in. This is to fail
- early and with precise error message. Reported by Isaac Wilcox.
+* Workaround: Improve handling of IMAP IDLE, some servers do not reset their
+ time counters after sending information asynchronously. Patch by Sunil
+ Shetye, after report from Andrew Baumann.
+* Usability: When requesting Kerberos or GSSAPI, complain and exit with syntax
+ error if any of these requested features has not been compiled in. This is
+ to fail early and with precise error message. Reported by Isaac Wilcox.
* --version will now add +KRB4 or +KRB5 if Kerberos v4 or v5, respectively, have
been compiled in. Reported missing by Isaac Wilcox.
@@ -115,6 +120,9 @@ fetchmail 6.3.6 (not yet released):
* New en_GB (British English) translation by David Lodge.
* Update Japanese (Takeshi Hamasaki), Polish (Jakub Bogusz), Russian (Pavel
Maryanov) and Vietnamese (Clytie Siddall) translations.
+! Note that not all these translations are complete -- this isn't the
+ translators' fault though, but due to delays at the BerliOS hosting site and
+ the translation project handlers. You may see a few untranslated messages.
# DOCUMENTATION:
* Dropped exit status 15 from manual page, it's not used by fetchmail.
@@ -122,15 +130,16 @@ fetchmail 6.3.6 (not yet released):
* Documented exit codes 24 - 29 as internal.
# KNOWN BUGS AND WORKAROUNDS:
- (this section floats upwards through the NEWS to be on top of the list)
+ (this section floats upwards through the NEWS file so it stays with the
+ current release information)
* fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
-* Sun Workshop 6 (SPARC) is known to miscompile the lexer in 64-bit mode.
- Either compile 32-bit code or use GCC to compile 64-bit fetchmail.
- Note that fetchmail doesn't take advantage of 64-bit code anyways,
- so compiling 32-bit SPARC code should be fine.
-* fetchmail expects Received: headers in a particular format when parsing
- envelopes.
+* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
+ 64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
+ fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
+ so compiling 32-bit SPARC code should not cause any difficulties.
+* fetchmail expects Received: headers in a particular, but undocumented, format
+ when parsing envelopes.
* fetchmail does not track pending deletes over crashes
* the command line interface is a bit narrow-minded sometimes, for instance,
fetchmail -s doesn't work with a running daemon