aboutsummaryrefslogtreecommitdiffstats
path: root/NEWS
Commit message (Collapse)AuthorAgeFilesLines
* NEWS: Credit RC testers.Matthias Andree2021-08-291-0/+4
|
* NEWS: credit translators.Matthias Andree2021-08-291-1/+3
| | | | | | Göran Uddeborg (Swedish) was credited in a5a961e7c45fb4d1cdc700e7dcd2ff55ab2b1b51, without explicit mention in the header. credit Jakub Bogusz (Polish) and Besnik Bleta (Albanian).
* socket.c: invalid sslproto no longer abort()sMatthias Andree2021-08-281-1/+4
|
* Credit fr/eo translators.Matthias Andree2021-08-271-0/+4
|
* imap.c, pop3.c: fix protocol regression of 6.4.22.rc1Matthias Andree2021-08-271-0/+4
| | | | | | | | | | | | | | | fetchmail 6.4.22.rc1 clobbered its IMAP state too late, and lost information on the protocol version in many circumstances. Consequently, it tried to talk IMAP4 to IMAP4rev1 servers, which failed. This fix the clear_sessiondata() out to the new constructor and destructor, such that imap_getauth() only needs to call it after STARTTLS, when it must re-probe CAPABILITY anyways. This was the same bug for POP3, which however does not collect state from the greeting, so that the bug was without effect for POP3. Reported by: Corey Halpin, FreeBSD port maintainer.
* NEWS: fix typo.Matthias Andree2021-08-271-1/+1
|
* Add CVE ID; revise TLS docs & fetchmail-SA-2021-02Matthias Andree2021-08-271-8/+10
|
* fetchmail.c: Fix SIGSEGV optmerge()ing "no envelope"Matthias Andree2021-08-271-0/+5
| | | | | | | | Reported by Bjørn Mork, fixes Debian Bug#992400. Crash happens inside xstrdup() on a strlen((char *)-1) where the argument is constant and the trigger is a local trusted configuration file, so not deemed a vulnerability.
* NEWS: reword 6.4.21 regression fix to include --syslogMatthias Andree2021-08-261-1/+1
|
* sanity check well-known POP3/IMAP ports vs. SSLMatthias Andree2021-08-261-0/+3
| | | | | Gitlab: Closes #31. (cherry picked from commit da6eb347af326912560f56081d603a0a78c3d56d)
* POP3: make CAPA parser caseblind.Matthias Andree2021-08-261-0/+1
|
* SECURITY: POP3: changes for --auth ssh and RPAMatthias Andree2021-08-261-1/+5
| | | | | These no longer defeat STARTTLS negotiation, and RPA is only attempted with --auth any.
* NEWS: Deprecate RPA and other nonstandard auth' schemes.Matthias Andree2021-08-261-0/+4
|
* socket.c: plugin/plugout SIGSEGV and memleak fixesMatthias Andree2021-08-261-0/+4
|
* IMAP: record server's CAPABILITY data in pre-auth state.Matthias Andree2021-08-261-0/+5
| | | | Saves one or two (STARTTLS) application-level round-trips.
* SECURITY: IMAP: no longer permit LOGIN with LOGINDISABLED.Matthias Andree2021-08-261-1/+3
|
* IMAP: log error if --auth external requested but server does not advertise it.Matthias Andree2021-08-261-0/+2
|
* IMAP: two more AUTHENTICATE EXTERNAL fixesMatthias Andree2021-08-261-1/+7
|
* IMAP: don't send * after failed AUTHENTICATE EXTERNALMatthias Andree2021-08-261-0/+4
| | | | ...i. e. after receiving tagged response.
* SECURITY: IMAP: --auth ssh no longer prevents STARTTLSMatthias Andree2021-08-261-0/+1
|
* SECURITY: IMAP: PREAUTH->abort if STARTTLS neededMatthias Andree2021-08-261-0/+17
| | | | | | | | | | On --sslproto auto (or other nonempty values), when receiving IMAP PREAUTH state, abort the connection, rather than continuing with cleartext. --ssl is unaffected because it always negotiates TLS. See fetchmail-SA-2021-02.txt for details.
* NEWS/6.4.20: Fix typo in CVE number.Matthias Andree2021-08-091-1/+1
|
* Fix --logfile and message truncation issue.Matthias Andree2021-08-091-0/+18
| | | | | | | | | | | | | | | | | Regression in 6.4.20's security fix (Git commit c546c829). We doubly incremented partial_message_size_used on modern systems (stdard.h/vsnprintf), once in report_vbuild() and then again in report_build(), so the 2nd and subsequent report_build() fragments landed too late in the buffer. This will not cause overruns due to the reallocation prior to the vsnprintf/sprintf, but it write starts behind the '\0' byte, instead of right over it, so the string also gets truncated to the first fragment written with report_vbuild(). Fix by moving the increment back into the #else...#endif part that does not use report_vbuild(). Reported by: Jürgen Edner, Erik Christiansen
* Get ready for 6.4.20.Matthias Andree2021-07-281-1/+1
|
* Fix SIGSEGV when resizing report*() buffer.Matthias Andree2021-07-281-0/+18
| | | | | | | | | | | | | | Reported (with a different patch suggestion) by Christian Herdtweck <christian.herdtweck@intra2net.com>. Note that vsnprintf() calls va_arg(), and depending on operating system, compiler, configuration, this will invalidate the va_list argument pointer, so that va_start has to be called again before a subsequent vsnprintf(). However, it is better to do away with the loop and the trial-and-error, and leverage the return value of vsnprintf instead for a direct one-off resizing, whilst taking into account that on SUSv2 systems, the return value can be useless if the size argument to vsnprintf is 0.
* Get ready for 6.4.19.Matthias Andree2021-04-241-1/+1
|
* fetchmailconf: properly catch and report option parsing errorsMatthias Andree2021-04-241-0/+3
|
* NEWS: credit Miroslav Nikolić for updating translation.Matthias Andree2021-03-311-0/+4
|
* fetchmail.c: LMTP don't validate "port" on UNIX-domain socketsMatthias Andree2021-03-291-0/+7
| | | | | | (those with a file path). Closes: #33
* NEWS: Fix LoC and release date.Matthias Andree2021-03-271-1/+1
|
* Prepare for 6.4.18.Matthias Andree2021-03-271-3/+6
|
* socket.c: SSL_use_PrivateKey_file <- SSL_use_RSAPrivateKey_file,Matthias Andree2021-03-131-1/+4
| | | | | the latter is deprecated in OpenSSL 3, and the user might use some other key than RSA.
* OpenSSL: permit deprecated features,Matthias Andree2021-03-131-0/+2
| | | | to avoid compatibility issues with new OpenSSL versions later on.
* Mention fetchmailconf regression fix.Matthias Andree2021-03-131-0/+13
|
* Prepare 6.4.17 release.Matthias Andree2021-03-071-1/+1
|
* getstats.py: count *.py files, tooMatthias Andree2021-03-071-0/+1
|
* NEWS: mention fetchmailconf's printing Python version.Matthias Andree2021-03-071-0/+1
|
* imap.c: fix memory leak in timeout situation for LOGIN authMatthias Andree2021-02-141-0/+4
| | | | | ...which uses siglongjmp() so that gen_transact() will not return. Note, just in case, this uses local static buffers and is not thread-safe.
* fetchmail.man: tell user to add --ssl for TLS-wrapped portsMatthias Andree2021-02-141-0/+4
|
* Credit Takeshi Hamasaki/Japanese translation.Matthias Andree2021-02-091-20/+26
|
* Record 6.4.16 state.Matthias Andree2021-02-081-1/+1
|
* NEWS: credit translators.Matthias Andree2021-02-031-1/+1
|
* NEWS: credit translators.Matthias Andree2021-01-311-1/+11
|
* configure.ac: don't call AC_LIB_LINKFLAGS --without-sslMatthias Andree2021-01-301-0/+2
|
* --version: print OpenSSL versions build/run-time and directoriesMatthias Andree2021-01-301-0/+3
|
* NEWS: Whitespace fix.Matthias Andree2021-01-301-1/+1
|
* --version: print default cert paths, and document SSL_CERT_* in manpageMatthias Andree2021-01-301-0/+13
| | | | | | | | | When Gene Heskett was updating his OpenSSL on Debian oldstable, we figured that it might be helpful to print where OpenSSL goes look for the trusted certificate. Add this information. Also add documentation of OpenSSL's SSL_CERT_DIR/SSL_CERT_FILE environment variables.
* fetchmail.man: correct and extend duplicate-suppression behaviorMatthias Andree2021-01-301-0/+10
| | | | | | | | | This was found by Julian Bane debugging a situation where duplicate suppression did not kick in (due to envelope-recording headers, X-Original-To, Delivered-To). Historic behavior now documented in fetchmail.man and NEWS in order to reduce confusion. Gitlab, fixes issue #29.
* Add support for sslcertfile.Matthias Andree2021-01-031-6/+14
| | | | (cherry picked from commit 204541b6d2ccdbd2111e346f47fd69316ed3ef7d)
* NEWS: add one fix for 6.4.3 and give one Debian Bug ref.Matthias Andree2021-01-031-1/+2
| | | | | | | Mention 6.4.3 esmtpname/esmtppassword fix. Found while reviewing Earl Chew's same fix on 'next' branch. Reference MDA single-quoting issue by Debian Bug#347909 id.