| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.
This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.
It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page. It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
|
| |
|
|
|
|
| |
(socket.c cherry-pick from master)
|
| |
|
|
|
|
|
| |
These are the macros OpenSSL defines when configured with no-ssl2 or no-ssl3,
the actual macro names are OPENSSL_NO_SSL2 and OPENSSL_NO_SSL3.
|
|
|
|
|
|
|
| |
providing that these also omit the declaration of SSLv3_client_method().
Related to Debian Bug#775255.
Version report lists -SSLv3 on +SSL builds that omit SSLv3_client_method().
Version report lists -SSLv2 on +SSL builds that omit SSLv2_client_method().
|
| |
|
|
|
|
| |
In response to Jeremy Chadwick's trouble 2014-11-19, fetchmail-users.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Re-sign EN and SAs because that broke signatures.
|
|
|
|
| |
Reported by Gonzalo Pérez de Olaguer Córdoba, Debian Bug#744907.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Fixes Debian Bug#706776, submitted by David Lawyer.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mimedecode feature failed to ship the last line of the body if it
was encoded as quoted-printable and had a MIME soft line break in the
very last line. Reported by Lars Hecking in June 2011.
Bug introduced on 1998-03-20 when the mimedecode support was added by
ESR before release 4.4.1 through code contributed by Henrik Storner,
in driver.c.
Workaround for older releases: do not use mimedecode feature.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The fetchmail manual page now refers the user to --softbounce from the
SMTP/ESMTP ERROR HANDLING section. Reported by Anton Shterenlikht.
|
|
|
|
|
|
|
| |
The fetchmail manual page no longer claims that MD5 were the default OpenSSL
hash format (for use with --sslfingerprint).
Reported by Jakob Wilk, PARTIAL fix for Debian Bug#700266.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While running a static code analysis tool (Parfait) on fetchmail, it found some
bugs:
Error: Memory leak (CWE 401)
Memory leak of pointer 'plugin_copy' allocated with malloc((plugin_copy_len + 1))
at line 137 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'parse_plugin'.
'plugin_copy' allocated at line 107 with malloc((plugin_copy_len + 1)).
plugin_copy leaks when plugin_copy_offset >= plugin_copy_len at line 114.
Error: Null pointer dereference (CWE 476)
Read from null pointer 'argvec'
at line 189 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
at line 190 of components/fetchmail/fetchmail-6.3.22/socket.c in function 'handle_plugin'.
Function 'parse_plugin' may return constant 'NULL' at line 137, called at line 188.
Null pointer introduced at line 137 in function 'parse_plugin'.
(I realize these are on 6.3.22; I checked and verified that this portion of
the code is the same in 6.3.24.)
The attached patch fixes each of these.
(Note by Matthias Andree:
The NULL pointer dereference fix does not require error reporting,
because parse_plugin() will already have reported the out-of-memory
error that causes the NULL to be returned.)
|
|
|
|
|
|
|
|
|
| |
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
working around a not-so-recent swapping of two OpenSSL error codes, and
a practical impossibility to distinguish broken certification chains from
missing trust anchors (root certificates).
* OpenSSL decoded errors are now reported through report(), rather than dumped
to stderr, so that they should show up in logfiles and/or syslog.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older systems that provide the older RFC-2553 implementation of
getaddrinfo, rather than the current RFC-3493, and systems that do not
provide this getaddrinfo() interface at all and thus use the replacement
functions from libesmtp/getaddrinfo.?, might return EAI_NODATA when a
host is registered in DNS as MX or similar, but without A or AAAA
records. Handle this situation when checking for multidrop aliases and
treat EAI_NODATA the same as EAI_NONAME, i. e. name cannot be resolved.
The proper fix, however, is to upgrade the operating system.
|
| |
|