aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* NEWS: fix typo.Matthias Andree2021-08-271-1/+1
|
* README.SSL-SERVER: require TLS 1.2/1.3Matthias Andree2021-08-271-0/+5
|
* get ready for 6.4.22.rc1.Matthias Andree2021-08-273-20/+32
|
* Doxyfile: updatesMatthias Andree2021-08-271-53/+122
|
* Add CVE ID; revise TLS docs & fetchmail-SA-2021-02Matthias Andree2021-08-274-87/+94
|
* fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"Matthias Andree2021-08-273-2/+7
| | | | | | | | Reported by Bjørn Mork, fixes Debian Bug#992400. Crash happens inside xstrdup() on a strlen((char *)-1) where the argument is constant and the trigger is a local trusted configuration file, so not deemed a vulnerability.
* po/de.po: Update German translation.Matthias Andree2021-08-271-274/+333
|
* Misc POP3 cleanups.Matthias Andree2021-08-261-5/+6
|
* SECURITY: imap.c, pop3.c: STARTTLS drops stateMatthias Andree2021-08-262-35/+43
| | | | | We need to lose all state after STARTTLS to safeguard from attacks against the clear-text part of the session.
* NEWS: reword 6.4.21 regression fix to include --syslogMatthias Andree2021-08-261-1/+1
|
* fetchmail.c: reword port/--ssl checks to nudge user towards --sslMatthias Andree2021-08-261-2/+2
|
* sanity check well-known POP3/IMAP ports vs. SSLMatthias Andree2021-08-262-0/+13
| | | | | Gitlab: Closes #31. (cherry picked from commit da6eb347af326912560f56081d603a0a78c3d56d)
* lock.c: fix unused-value warning in unlockit().Matthias Andree2021-08-261-2/+5
|
* POP3: make CAPA parser caseblind.Matthias Andree2021-08-262-0/+4
|
* xmalloc.h: Add GCC malloc attribute to xmalloc().Matthias Andree2021-08-261-1/+5
|
* imap.c, report.c: remove or comment dead stores.Matthias Andree2021-08-262-3/+6
|
* SECURITY: POP3: changes for --auth ssh and RPAMatthias Andree2021-08-263-43/+69
| | | | | These no longer defeat STARTTLS negotiation, and RPA is only attempted with --auth any.
* NEWS: Deprecate RPA and other nonstandard auth' schemes.Matthias Andree2021-08-261-0/+4
|
* socket.c: plugin/plugout SIGSEGV and memleak fixesMatthias Andree2021-08-262-12/+30
|
* IMAP: record server's CAPABILITY data in pre-auth state.Matthias Andree2021-08-262-7/+47
| | | | Saves one or two (STARTTLS) application-level round-trips.
* IMAP: report 'upgrade to TLS succeeded' before CAPA probeMatthias Andree2021-08-261-4/+4
| | | | ...after successful STARTTLS, to show the logical order of events.
* SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.Matthias Andree2021-08-262-35/+43
|
* fetchmail.c: fix typo in comment.Matthias Andree2021-08-261-1/+1
|
* IMAP: log error if --auth external requested but server does not advertise it.Matthias Andree2021-08-263-35/+56
|
* imap.c: one FIXME for command continuation requestsMatthias Andree2021-08-261-0/+3
|
* IMAP: two more AUTHENTICATE EXTERNAL fixesMatthias Andree2021-08-262-2/+17
|
* IMAP: fix base64 length calc. for AUTH=EXTERNALMatthias Andree2021-08-263-1/+7
| | | | to make code more correct or readable; to64frombits does not overflow its buffer
* IMAP: don't send * after failed AUTHENTICATE EXTERNALMatthias Andree2021-08-262-2/+4
| | | | ...i. e. after receiving tagged response.
* IMAP: rename misnamed function and variableMatthias Andree2021-08-261-5/+5
|
* Bump version to 6.4.22.rc1Matthias Andree2021-08-262-2/+2
|
* manpage: Fix indentation under --sslprotoMatthias Andree2021-08-261-3/+3
| | | | The 2nd and 3rd paragraph used .PP, fix this to use .IP.
* SECURITY: IMAP: --auth ssh no longer prevents STARTTLSMatthias Andree2021-08-263-18/+27
|
* SECURITY: IMAP: PREAUTH->abort if STARTTLS neededMatthias Andree2021-08-265-64/+230
| | | | | | | | | | On --sslproto auto (or other nonempty values), when receiving IMAP PREAUTH state, abort the connection, rather than continuing with cleartext. --ssl is unaffected because it always negotiates TLS. See fetchmail-SA-2021-02.txt for details.
* 6.5.0.beta5: mention regression fix and idle timeout.Matthias Andree2021-08-091-1/+2
|
* Announce 6.4.21 and 6.5.0.beta5.Matthias Andree2021-08-091-10/+12
|
* Bump version to 6.4.21.Matthias Andree2021-08-092-2/+2
|
* Update fetchmail-SA-2021-01.txt with info on regression fix. v1.3.Matthias Andree2021-08-091-22/+40
|
* NEWS/6.4.20: Fix typo in CVE number.Matthias Andree2021-08-091-1/+1
|
* Fix --logfile and message truncation issue.Matthias Andree2021-08-092-1/+20
| | | | | | | | | | | | | | | | | Regression in 6.4.20's security fix (Git commit c546c829). We doubly incremented partial_message_size_used on modern systems (stdard.h/vsnprintf), once in report_vbuild() and then again in report_build(), so the 2nd and subsequent report_build() fragments landed too late in the buffer. This will not cause overruns due to the reallocation prior to the vsnprintf/sprintf, but it write starts behind the '\0' byte, instead of right over it, so the string also gets truncated to the first fragment written with report_vbuild(). Fix by moving the increment back into the #else...#endif part that does not use report_vbuild(). Reported by: Jürgen Edner, Erik Christiansen
* fetchmail-SA-2021-01.txt: Replace copy by symlinkMatthias Andree2021-08-031-119/+1
| | | | for website, for consistency with other fetchmail security announcements
* update fetchmail-SA-2021-01Matthias Andree2021-08-031-40/+51
| | | | and reference fetchmail-SA-2008-01/CVE-2008-2711
* website: ext. link updates for openssh, getmail6Matthias Andree2021-08-031-2/+4
|
* Update website for 6.5.0.beta4 release.Matthias Andree2021-08-033-13/+141
|
* update Git commit hash for CVE-2021-36386 correctionMatthias Andree2021-07-281-15/+16
|
* fetchmail-SA-2021-01: GnuPG clearsign.Matthias Andree2021-07-281-0/+19
|
* Get ready for 6.4.20.Matthias Andree2021-07-284-6/+6
|
* Add fetchmail-SA-2021-01.txt. CVE-2021-36386.Matthias Andree2021-07-282-0/+100
|
* Fix SIGSEGV when resizing report*() buffer.Matthias Andree2021-07-282-61/+95
| | | | | | | | | | | | | | Reported (with a different patch suggestion) by Christian Herdtweck <christian.herdtweck@intra2net.com>. Note that vsnprintf() calls va_arg(), and depending on operating system, compiler, configuration, this will invalidate the va_list argument pointer, so that va_start has to be called again before a subsequent vsnprintf(). However, it is better to do away with the loop and the trial-and-error, and leverage the return value of vsnprintf instead for a direct one-off resizing, whilst taking into account that on SUSv2 systems, the return value can be useless if the size argument to vsnprintf is 0.
* website: Announce 6.5.0-beta3.Matthias Andree2021-04-241-3/+3
|
* Announce 6.4.19 on website.Matthias Andree2021-04-241-4/+4
|