Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Add CVE ID; revise TLS docs & fetchmail-SA-2021-02 | Matthias Andree | 2021-08-27 | 4 | -87/+94 |
| | |||||
* | fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope" | Matthias Andree | 2021-08-27 | 3 | -2/+7 |
| | | | | | | | | Reported by Bjørn Mork, fixes Debian Bug#992400. Crash happens inside xstrdup() on a strlen((char *)-1) where the argument is constant and the trigger is a local trusted configuration file, so not deemed a vulnerability. | ||||
* | po/de.po: Update German translation. | Matthias Andree | 2021-08-27 | 1 | -274/+333 |
| | |||||
* | Misc POP3 cleanups. | Matthias Andree | 2021-08-26 | 1 | -5/+6 |
| | |||||
* | SECURITY: imap.c, pop3.c: STARTTLS drops state | Matthias Andree | 2021-08-26 | 2 | -35/+43 |
| | | | | | We need to lose all state after STARTTLS to safeguard from attacks against the clear-text part of the session. | ||||
* | NEWS: reword 6.4.21 regression fix to include --syslog | Matthias Andree | 2021-08-26 | 1 | -1/+1 |
| | |||||
* | fetchmail.c: reword port/--ssl checks to nudge user towards --ssl | Matthias Andree | 2021-08-26 | 1 | -2/+2 |
| | |||||
* | sanity check well-known POP3/IMAP ports vs. SSL | Matthias Andree | 2021-08-26 | 2 | -0/+13 |
| | | | | | Gitlab: Closes #31. (cherry picked from commit da6eb347af326912560f56081d603a0a78c3d56d) | ||||
* | lock.c: fix unused-value warning in unlockit(). | Matthias Andree | 2021-08-26 | 1 | -2/+5 |
| | |||||
* | POP3: make CAPA parser caseblind. | Matthias Andree | 2021-08-26 | 2 | -0/+4 |
| | |||||
* | xmalloc.h: Add GCC malloc attribute to xmalloc(). | Matthias Andree | 2021-08-26 | 1 | -1/+5 |
| | |||||
* | imap.c, report.c: remove or comment dead stores. | Matthias Andree | 2021-08-26 | 2 | -3/+6 |
| | |||||
* | SECURITY: POP3: changes for --auth ssh and RPA | Matthias Andree | 2021-08-26 | 3 | -43/+69 |
| | | | | | These no longer defeat STARTTLS negotiation, and RPA is only attempted with --auth any. | ||||
* | NEWS: Deprecate RPA and other nonstandard auth' schemes. | Matthias Andree | 2021-08-26 | 1 | -0/+4 |
| | |||||
* | socket.c: plugin/plugout SIGSEGV and memleak fixes | Matthias Andree | 2021-08-26 | 2 | -12/+30 |
| | |||||
* | IMAP: record server's CAPABILITY data in pre-auth state. | Matthias Andree | 2021-08-26 | 2 | -7/+47 |
| | | | | Saves one or two (STARTTLS) application-level round-trips. | ||||
* | IMAP: report 'upgrade to TLS succeeded' before CAPA probe | Matthias Andree | 2021-08-26 | 1 | -4/+4 |
| | | | | ...after successful STARTTLS, to show the logical order of events. | ||||
* | SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED. | Matthias Andree | 2021-08-26 | 2 | -35/+43 |
| | |||||
* | fetchmail.c: fix typo in comment. | Matthias Andree | 2021-08-26 | 1 | -1/+1 |
| | |||||
* | IMAP: log error if --auth external requested but server does not advertise it. | Matthias Andree | 2021-08-26 | 3 | -35/+56 |
| | |||||
* | imap.c: one FIXME for command continuation requests | Matthias Andree | 2021-08-26 | 1 | -0/+3 |
| | |||||
* | IMAP: two more AUTHENTICATE EXTERNAL fixes | Matthias Andree | 2021-08-26 | 2 | -2/+17 |
| | |||||
* | IMAP: fix base64 length calc. for AUTH=EXTERNAL | Matthias Andree | 2021-08-26 | 3 | -1/+7 |
| | | | | to make code more correct or readable; to64frombits does not overflow its buffer | ||||
* | IMAP: don't send * after failed AUTHENTICATE EXTERNAL | Matthias Andree | 2021-08-26 | 2 | -2/+4 |
| | | | | ...i. e. after receiving tagged response. | ||||
* | IMAP: rename misnamed function and variable | Matthias Andree | 2021-08-26 | 1 | -5/+5 |
| | |||||
* | Bump version to 6.4.22.rc1 | Matthias Andree | 2021-08-26 | 2 | -2/+2 |
| | |||||
* | manpage: Fix indentation under --sslproto | Matthias Andree | 2021-08-26 | 1 | -3/+3 |
| | | | | The 2nd and 3rd paragraph used .PP, fix this to use .IP. | ||||
* | SECURITY: IMAP: --auth ssh no longer prevents STARTTLS | Matthias Andree | 2021-08-26 | 3 | -18/+27 |
| | |||||
* | SECURITY: IMAP: PREAUTH->abort if STARTTLS needed | Matthias Andree | 2021-08-26 | 5 | -64/+230 |
| | | | | | | | | | | On --sslproto auto (or other nonempty values), when receiving IMAP PREAUTH state, abort the connection, rather than continuing with cleartext. --ssl is unaffected because it always negotiates TLS. See fetchmail-SA-2021-02.txt for details. | ||||
* | 6.5.0.beta5: mention regression fix and idle timeout. | Matthias Andree | 2021-08-09 | 1 | -1/+2 |
| | |||||
* | Announce 6.4.21 and 6.5.0.beta5. | Matthias Andree | 2021-08-09 | 1 | -10/+12 |
| | |||||
* | Bump version to 6.4.21. | Matthias Andree | 2021-08-09 | 2 | -2/+2 |
| | |||||
* | Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3. | Matthias Andree | 2021-08-09 | 1 | -22/+40 |
| | |||||
* | NEWS/6.4.20: Fix typo in CVE number. | Matthias Andree | 2021-08-09 | 1 | -1/+1 |
| | |||||
* | Fix --logfile and message truncation issue. | Matthias Andree | 2021-08-09 | 2 | -1/+20 |
| | | | | | | | | | | | | | | | | | Regression in 6.4.20's security fix (Git commit c546c829). We doubly incremented partial_message_size_used on modern systems (stdard.h/vsnprintf), once in report_vbuild() and then again in report_build(), so the 2nd and subsequent report_build() fragments landed too late in the buffer. This will not cause overruns due to the reallocation prior to the vsnprintf/sprintf, but it write starts behind the '\0' byte, instead of right over it, so the string also gets truncated to the first fragment written with report_vbuild(). Fix by moving the increment back into the #else...#endif part that does not use report_vbuild(). Reported by: Jürgen Edner, Erik Christiansen | ||||
* | fetchmail-SA-2021-01.txt: Replace copy by symlink | Matthias Andree | 2021-08-03 | 1 | -119/+1 |
| | | | | for website, for consistency with other fetchmail security announcements | ||||
* | update fetchmail-SA-2021-01 | Matthias Andree | 2021-08-03 | 1 | -40/+51 |
| | | | | and reference fetchmail-SA-2008-01/CVE-2008-2711 | ||||
* | website: ext. link updates for openssh, getmail6 | Matthias Andree | 2021-08-03 | 1 | -2/+4 |
| | |||||
* | Update website for 6.5.0.beta4 release. | Matthias Andree | 2021-08-03 | 3 | -13/+141 |
| | |||||
* | update Git commit hash for CVE-2021-36386 correction | Matthias Andree | 2021-07-28 | 1 | -15/+16 |
| | |||||
* | fetchmail-SA-2021-01: GnuPG clearsign. | Matthias Andree | 2021-07-28 | 1 | -0/+19 |
| | |||||
* | Get ready for 6.4.20. | Matthias Andree | 2021-07-28 | 4 | -6/+6 |
| | |||||
* | Add fetchmail-SA-2021-01.txt. CVE-2021-36386. | Matthias Andree | 2021-07-28 | 2 | -0/+100 |
| | |||||
* | Fix SIGSEGV when resizing report*() buffer. | Matthias Andree | 2021-07-28 | 2 | -61/+95 |
| | | | | | | | | | | | | | | Reported (with a different patch suggestion) by Christian Herdtweck <christian.herdtweck@intra2net.com>. Note that vsnprintf() calls va_arg(), and depending on operating system, compiler, configuration, this will invalidate the va_list argument pointer, so that va_start has to be called again before a subsequent vsnprintf(). However, it is better to do away with the loop and the trial-and-error, and leverage the return value of vsnprintf instead for a direct one-off resizing, whilst taking into account that on SUSv2 systems, the return value can be useless if the size argument to vsnprintf is 0. | ||||
* | website: Announce 6.5.0-beta3. | Matthias Andree | 2021-04-24 | 1 | -3/+3 |
| | |||||
* | Announce 6.4.19 on website. | Matthias Andree | 2021-04-24 | 1 | -4/+4 |
| | |||||
* | Checkin what's in the 6.4.19 tarballs. | Matthias Andree | 2021-04-24 | 2 | -771/+527 |
| | |||||
* | Get ready for 6.4.19. | Matthias Andree | 2021-04-24 | 3 | -3/+3 |
| | |||||
* | fetchmailconf: properly catch and report option parsing errors | Matthias Andree | 2021-04-24 | 2 | -10/+27 |
| | |||||
* | NEWS: credit Miroslav Nikolić for updating translation. | Matthias Andree | 2021-03-31 | 1 | -0/+4 |
| |