Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Update <sv> Swedish translation to fetchmail 6.4.22.rc1 | Göran Uddeborg | 2021-08-28 | 1 | -474/+765 |
| | |||||
* | Get ready for 6.4.22.rc2. | Matthias Andree | 2021-08-27 | 7 | -1256/+721 |
| | |||||
* | Credit fr/eo translators. | Matthias Andree | 2021-08-27 | 1 | -0/+4 |
| | |||||
* | Update <fr> French translation to fetchmail-6.4.22.rc1 | Frédéric Marchal | 2021-08-27 | 1 | -524/+906 |
| | |||||
* | Update <eo> Esperanto translation to fetchmail 6.4.22.rc1 | Keith Bowes | 2021-08-27 | 1 | -465/+737 |
| | |||||
* | imap.c, pop3.c: fix protocol regression of 6.4.22.rc1 | Matthias Andree | 2021-08-27 | 3 | -68/+82 |
| | | | | | | | | | | | | | | | fetchmail 6.4.22.rc1 clobbered its IMAP state too late, and lost information on the protocol version in many circumstances. Consequently, it tried to talk IMAP4 to IMAP4rev1 servers, which failed. This fix the clear_sessiondata() out to the new constructor and destructor, such that imap_getauth() only needs to call it after STARTTLS, when it must re-probe CAPABILITY anyways. This was the same bug for POP3, which however does not collect state from the greeting, so that the bug was without effect for POP3. Reported by: Corey Halpin, FreeBSD port maintainer. | ||||
* | etrn.c, odmr.c, pop2.c: declare NULL con-/destructors | Matthias Andree | 2021-08-27 | 3 | -1/+7 |
| | |||||
* | struct method: introduce con-/destructors | Matthias Andree | 2021-08-27 | 2 | -0/+13 |
| | | | | | | | These can be used before setting up or after closing down a socket for protocol-specific initialisiation or cleanup, and are required to cleanly fix up the IMAP-loses-protocol-version regression without too many temporary hacks in the code. | ||||
* | NEWS: fix typo. | Matthias Andree | 2021-08-27 | 1 | -1/+1 |
| | |||||
* | README.SSL-SERVER: require TLS 1.2/1.3 | Matthias Andree | 2021-08-27 | 1 | -0/+5 |
| | |||||
* | get ready for 6.4.22.rc1. | Matthias Andree | 2021-08-27 | 3 | -20/+32 |
| | |||||
* | Doxyfile: updates | Matthias Andree | 2021-08-27 | 1 | -53/+122 |
| | |||||
* | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02 | Matthias Andree | 2021-08-27 | 4 | -87/+94 |
| | |||||
* | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope" | Matthias Andree | 2021-08-27 | 3 | -2/+7 |
| | | | | | | | | Reported by Bjørn Mork, fixes Debian Bug#992400. Crash happens inside xstrdup() on a strlen((char *)-1) where the argument is constant and the trigger is a local trusted configuration file, so not deemed a vulnerability. | ||||
* | po/de.po: Update German translation. | Matthias Andree | 2021-08-27 | 1 | -274/+333 |
| | |||||
* | Misc POP3 cleanups. | Matthias Andree | 2021-08-26 | 1 | -5/+6 |
| | |||||
* | SECURITY: imap.c, pop3.c: STARTTLS drops state | Matthias Andree | 2021-08-26 | 2 | -35/+43 |
| | | | | | We need to lose all state after STARTTLS to safeguard from attacks against the clear-text part of the session. | ||||
* | NEWS: reword 6.4.21 regression fix to include --syslog | Matthias Andree | 2021-08-26 | 1 | -1/+1 |
| | |||||
* | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl | Matthias Andree | 2021-08-26 | 1 | -2/+2 |
| | |||||
* | sanity check well-known POP3/IMAP ports vs. SSL | Matthias Andree | 2021-08-26 | 2 | -0/+13 |
| | | | | | Gitlab: Closes #31. (cherry picked from commit da6eb347af326912560f56081d603a0a78c3d56d) | ||||
* | lock.c: fix unused-value warning in unlockit(). | Matthias Andree | 2021-08-26 | 1 | -2/+5 |
| | |||||
* | POP3: make CAPA parser caseblind. | Matthias Andree | 2021-08-26 | 2 | -0/+4 |
| | |||||
* | xmalloc.h: Add GCC malloc attribute to xmalloc(). | Matthias Andree | 2021-08-26 | 1 | -1/+5 |
| | |||||
* | imap.c, report.c: remove or comment dead stores. | Matthias Andree | 2021-08-26 | 2 | -3/+6 |
| | |||||
* | SECURITY: POP3: changes for --auth ssh and RPA | Matthias Andree | 2021-08-26 | 3 | -43/+69 |
| | | | | | These no longer defeat STARTTLS negotiation, and RPA is only attempted with --auth any. | ||||
* | NEWS: Deprecate RPA and other nonstandard auth' schemes. | Matthias Andree | 2021-08-26 | 1 | -0/+4 |
| | |||||
* | socket.c: plugin/plugout SIGSEGV and memleak fixes | Matthias Andree | 2021-08-26 | 2 | -12/+30 |
| | |||||
* | IMAP: record server's CAPABILITY data in pre-auth state. | Matthias Andree | 2021-08-26 | 2 | -7/+47 |
| | | | | Saves one or two (STARTTLS) application-level round-trips. | ||||
* | IMAP: report 'upgrade to TLS succeeded' before CAPA probe | Matthias Andree | 2021-08-26 | 1 | -4/+4 |
| | | | | ...after successful STARTTLS, to show the logical order of events. | ||||
* | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED. | Matthias Andree | 2021-08-26 | 2 | -35/+43 |
| | |||||
* | fetchmail.c: fix typo in comment. | Matthias Andree | 2021-08-26 | 1 | -1/+1 |
| | |||||
* | IMAP: log error if --auth external requested but server does not advertise it. | Matthias Andree | 2021-08-26 | 3 | -35/+56 |
| | |||||
* | imap.c: one FIXME for command continuation requests | Matthias Andree | 2021-08-26 | 1 | -0/+3 |
| | |||||
* | IMAP: two more AUTHENTICATE EXTERNAL fixes | Matthias Andree | 2021-08-26 | 2 | -2/+17 |
| | |||||
* | IMAP: fix base64 length calc. for AUTH=EXTERNAL | Matthias Andree | 2021-08-26 | 3 | -1/+7 |
| | | | | to make code more correct or readable; to64frombits does not overflow its buffer | ||||
* | IMAP: don't send * after failed AUTHENTICATE EXTERNAL | Matthias Andree | 2021-08-26 | 2 | -2/+4 |
| | | | | ...i. e. after receiving tagged response. | ||||
* | IMAP: rename misnamed function and variable | Matthias Andree | 2021-08-26 | 1 | -5/+5 |
| | |||||
* | Bump version to 6.4.22.rc1 | Matthias Andree | 2021-08-26 | 2 | -2/+2 |
| | |||||
* | manpage: Fix indentation under --sslproto | Matthias Andree | 2021-08-26 | 1 | -3/+3 |
| | | | | The 2nd and 3rd paragraph used .PP, fix this to use .IP. | ||||
* | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS | Matthias Andree | 2021-08-26 | 3 | -18/+27 |
| | |||||
* | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed | Matthias Andree | 2021-08-26 | 5 | -64/+230 |
| | | | | | | | | | | On --sslproto auto (or other nonempty values), when receiving IMAP PREAUTH state, abort the connection, rather than continuing with cleartext. --ssl is unaffected because it always negotiates TLS. See fetchmail-SA-2021-02.txt for details. | ||||
* | 6.5.0.beta5: mention regression fix and idle timeout. | Matthias Andree | 2021-08-09 | 1 | -1/+2 |
| | |||||
* | Announce 6.4.21 and 6.5.0.beta5. | Matthias Andree | 2021-08-09 | 1 | -10/+12 |
| | |||||
* | Bump version to 6.4.21. | Matthias Andree | 2021-08-09 | 2 | -2/+2 |
| | |||||
* | Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3. | Matthias Andree | 2021-08-09 | 1 | -22/+40 |
| | |||||
* | NEWS/6.4.20: Fix typo in CVE number. | Matthias Andree | 2021-08-09 | 1 | -1/+1 |
| | |||||
* | Fix --logfile and message truncation issue. | Matthias Andree | 2021-08-09 | 2 | -1/+20 |
| | | | | | | | | | | | | | | | | | Regression in 6.4.20's security fix (Git commit c546c829). We doubly incremented partial_message_size_used on modern systems (stdard.h/vsnprintf), once in report_vbuild() and then again in report_build(), so the 2nd and subsequent report_build() fragments landed too late in the buffer. This will not cause overruns due to the reallocation prior to the vsnprintf/sprintf, but it write starts behind the '\0' byte, instead of right over it, so the string also gets truncated to the first fragment written with report_vbuild(). Fix by moving the increment back into the #else...#endif part that does not use report_vbuild(). Reported by: Jürgen Edner, Erik Christiansen | ||||
* | fetchmail-SA-2021-01.txt: Replace copy by symlink | Matthias Andree | 2021-08-03 | 1 | -119/+1 |
| | | | | for website, for consistency with other fetchmail security announcements | ||||
* | update fetchmail-SA-2021-01 | Matthias Andree | 2021-08-03 | 1 | -40/+51 |
| | | | | and reference fetchmail-SA-2008-01/CVE-2008-2711 | ||||
* | website: ext. link updates for openssh, getmail6 | Matthias Andree | 2021-08-03 | 1 | -2/+4 |
| |