Softpedia >Mac >Internet Utilities >Fetchmail >  Changelog

Fetchmail Changelog

What's new in Fetchmail 6.3.21

May 3, 2012
  • CRITICAL BUG FIX:
  • The IMAP client no longer inserts NUL bytes into the last line of a message when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt. As a side effect of the fix, and in order to avoid a full rewrite, fetchmail will now CRLF-terminate the last line fetched through IMAP, even if it is originally not terminated by LF or CRLF. This bears no relevance if your messages end up in mbox, but adds line termination for storages (like Maildir) that do not require that the last line be LF- or CRLF-terminated.
  • CONTRIB/ addition:
  • There is a patch against fetchnews's source, contrib/rawlog.patch, that can log (and hexdump non-printing characters) raw socket data to a file. It proved useful to debug Antoine's bug described above.

New in Fetchmail 6.3.14 (Feb 25, 2010)

  • SECURITY FIXES
  • SSL/TLS certificate information is now also reported properly on computers
  • that consider the "char" type signed. Fixes malloc() buffer overrun.
  • Workaround for older versions: do not use verbose mode.
  • See fetchmail-SA-2010-01.txt for details, including a minimal patch.
  • BUG FIXES
  • The IMAP client no longer skips messages from several IMAP servers including
  • Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a)
  • ignored some untagged responses when it should not (b) relied on EXISTS
  • messages in response to EXPUNGE, which aren't mandated by RFC-3501 (the IMAP
  • standard) and aren't sent by Dovecot either.
  • Fix by Sunil Shetye (the fix also consolidates IMAP response handling,
  • improving overall robustness of the IMAP client), bug report and testing by
  • Matt Doran, with further hints from Timo Sirainen.
  • The SMTP client now recovers from errors (such as servers dropping the
  • connection after errors) when sending an RSET command.
  • Fix by Sunil Shetye. Report by James Moe.
  • The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH UNSEEN NOT
  • DELETED" again on IMAP2, to fix a regression in fetchmail 6.2.5 reported by
  • Will Stringer in June 2004. (Sunil Shetye)
  • The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 and IMAP4r1
  • servers (Sunil Shetye).
  • Workaround: The IMAP client now falls back to "FETCH n:m FLAGS" if the server
  • does not support "SEARCH". (Sunil Shetye)
  • The IMAP client now requests message numbers in batches of 1,000 to avoid
  • problems if there are more than 1860 unseen messages. (Sunil Shetye)
  • Note that this wasn't security relevant because fetchmail would only read up
  • to the maximum buffer size and leave the remainder of the string unread, going
  • out of synch afterwards.
  • Stricter validation of IMAP responses containing byte or message counts.
  • CHANGES
  • Only include gssapi.h if we're not including gssapi/gssapi.h, to fix a FreeBSD
  • compiler warning about gssapi.h being obsolete.

New in Fetchmail 6.3.13 (Jan 14, 2010)

  • REGRESSION FIXES
  • The multiline SMTP error fix in release 6.3.12 caused fetchmail to lose
  • message codes 400..599 and treat all of these as temporary error. This would
  • cause messages to be left on the server even if softbounce was turned off.
  • Reported by Thomas Jarosch.
  • TRANSLATION UPDATES
  • [cs] Czech, by Petr Pisar
  • [zh_CN] Chinese (simplified), by Ji ZhengYu
  • [nl] Dutch, by Erwin Poeze
  • [id] Indonesian, by Andhika Padmawan
  • [ja] Japanese, by Takeshi Hamasaki
  • [pl] Polish, by Jakub Bogusz
  • [es] Spanish (Castilian), by Franciso Molinero
  • [vi] Vietnamese, by Clytie Siddall

New in Fetchmail 6.3.9 (Dec 20, 2008)

  • The MX and host alias DNS lookups that fetchmail performs in multidrop mode are based on assumptions that are rarely met in practice, somewhat defective, deprecated and may be removed from a future fetchmail version. They have never supported IPv6 (including IPv6-mapped IPv4). Non-DNS based alias keywords such as "aka" will remain in fetchmail.
  • The monitor and interface options may be removed from a future fetchmail version as they are not reasonably portable.
  • POP2 is obsolete, support will be removed from a future fetchmail version.
  • RPOP is obsolete, support will be removed from a future fetchmail release.
  • --sslcertck will become a default setting in a future fetchmail version.
  • The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release.
  • The "envelope Received" option may be removed from a future release, because the Received header was never meant to be machine-readable, the format varies widely, and various other differences in behavior make parsing Received an unreliable undertaking. The envelope option as such will remain though, in order to support Delivered-To, X-Envelope-To, X-Original-To and similar. See also .
  • The --enable-fallback (fall back to MDA if MTA unavailable) will be removed from a future fetchmail release, because it makes fetchmail's behavior inconsistent and confusing.
  • The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended.
  • Kerberos IV support may be removed from a future fetchmail release.
  • SIGHUP wakeup support may be removed from a future fetchmail release and cause fetchmail to terminate - it was broken for many years.
  • Support for operating systems that are not sufficiently POSIX compliant may be removed or operation on such systems may be suboptimal for future releases.
  • SECURITY AND CRITICAL BUG FIXES:
  • CVE-2007-4565: Denial of service: When fetchmail tries to inject a warning message it created itself, and the message is refused by the SMTP listener, fetchmail dereferences a NULL pointer and crashes. Report & fix by Earl Chew. Note while this is theoretically a remote denial of service attack vector, fetchmail by default talks SMTP to the localhost, so the overall risk is rather low. This bug was apparently introduced on 1998-11-27 when the bouncemail facility was modularized. The bug then made its appearance in fetchmail release 4.6.8. See also fetchmail-SA-2007-02.txt.
  • CVE-2008-2711: Denial of service: When fetchmail logs data blobs (for instance, a To: header in -v -v verbose mode) in excess of 2048 bytes, it will crash, because it hands an uninitialized argument pointer (not the format string though) to vsnprintf and reads a random memory location (it calls va_arg() too often without resetting it with va_start()). Based on a patch (BerliOS patch #2492) by Petr Uzel, fixes Novell Bug #354291. Note 6.3.9-rc1 did not completely fix this issue, so it was redrawn a few hours after its release. See also fetchmail-SA-2008-01.txt.
  • When expunging, mark the right messages as seen to avoid message loss in "keep flush" configurations. Workaround for previous versions: "expunge 0". Report and patch by Alexander Cherepanov - thanks a lot, Berlios Bug #11797, "imap_mark_seen doesn't consider expunged messages".
  • SSL fix: close memory leak when SSL connection fails; fetchmail used to forget calling SSL_free() on the SSL context, leaking in excess of 500 kB RAM on a x86_64 system per failed SSL connection attempt. Bug reported and patch provided by Seiichi Ikarashi, Fujitsu.
  • BUG FIXES:
  • The configure script will additionally check for 'dn_skipname', to fix build failures with µClibc. The new check still recognizes the resolver libraries on Ubuntu 7.04, openSUSE 10.2, Solaris 8, NetBSD 4.0_BETA2 and FreeBSD 6.2. Fixes Gentoo bug #134187. NOTE: this is a bit of a hack, since we twist the HAVE_RES_SEARCH result, but res_search() and dn_skipname() are only used together and scheduled for removal in future versions, so this is probably fine.
  • No longer complain about invalid sslproto "" when POP3 CAPA probe fails. Fixes Debian Bug#421446 (Holger Leskien), Novell Bug #247233 (Jon Nelson). Thanks to Matthias Strauß for a configuration to reproduce the issue.
  • Allow .fetchmailrc and .fetchids to be symlinks, as the manpage does not document they aren't allowed - fixes Debian Bug #452907 (Roger Leigh). TOCTOU race persists.
  • fetchmailconf quotes mailbox (folder) names when writing the configuration. Fixes BerliOS Bug #13207 (reported + fix suggested by Terry Brown).
  • Only print "Deleting fetchids file" if there actually is one. Fixes Debian Bug#374514, reported by Dan Jacobson.
  • SSL fix: check and report if SSL_set_fd fails.
  • CHANGES:
  • autoconf 2.60 is now required to build fetchmail; it uses AC_USE_SYSTEM_EXTENSIONS to replace AC_AIX, AC_MINIX, and the like.
  • Removed dead FETCHMAIL_DEBUG code from fetchmail.h that was disabled by default with no switches in configure to enable it. However, the macro would have been prone to a symlink attack. Found by Nico Golde.
  • Removed dead FORCE_STUFFING code from socket.c that was disabled by default with no switches in configure to enable it.
  • Include the typedef for int16 in the #ifndef _AIX in smbencrypt.c (Peter O'Gorman)
  • Correct check for u_int32_t in configure.ac (seems to be typedef'ed in namser.h on some platforms.) (Peter O'Gorman)
  • In configure.ac change all CPFLAGS to CPPFLAGS, CEFLAGS to CFLAGS and LDEFLAGS to LDFLAGS otherwise the results of some tests (additional -L and -I flags) do not get used for later tests causing incorrect configure results. Makefile.am was also changed to reflect this. (Peter O'Gorman)
  • m4/gethostbyname_r.m4 does AC_TRY_COMPILE, which unfortunately can pass even if there is no gethostbyname_r. Changed to AC_TRY_LINK. (Peter O'Gorman)
  • Revise getnameinfo check to ensure NULL is defined and the result is properly evaluated, to avoid bogus results on for instance FreeBSD and redefinitions of NI_at compile time. (Matthias Andree).
  • __attribute__ ((unused)) is a gccism, removed from libesmtp/gethostbyname.c. (Peter O'Gorman)
  • In KAME/getnameinfo.c it's best to use the correct argument to inet_ntoa. (Peter O'Gorman)
  • In verbose mode, log if --check mode is enabled.
  • Add sslcommonname option (rcfile and commandline) as a way to work around misconfigured upstream SSL servers that use the wrong certificate name. It specifies which CommonName fetchmail expects and logs. (Daniel Richard G.)
  • Changed CRLF to LF line endings in contrib/delete-later (reporter: Petr Uzel)
  • SSL change: enable all workarounds with SSL_CTX_set_options(ctx,SSL_OP_ALL)
  • All translations have been re-enabled, in an attempt to rekindle translator or user interest.
  • DOCUMENTATION:
  • Add fetchmail-SA-2007-02.txt and fetchmail-SA-2008-01.txt.
  • Re-add two lines to the manual page that had accidentally become comments to nroff. One was part of the --sslproto documentation, and one in the "Awakening the background daemon" section.
  • The manual page no longer asserts that .fetchids were for exclusive POP3 use, since it is planned to use the file with IMAP4 later.
  • Add grammar fixes from Dan Jacobson to fetchmail.man. Debian Bug #461642.
  • The manual page now mentions that user descriptions need to come before user options. Reported by Francensco Pontortì, to fix Debian Bug #467010.
  • The manual page no longer hints that multi-user declarations per server were only useful in daemon mode running as root, to avoid hinting people to doing that.
  • Several manual page rcfile examples now include "ssl".
  • The manual page hints that option arguments beginning with numbers can be enclosed in quotes.
  • The manual page now mentions that the --logfile must already exist before fetchmail is run.
  • The FAQ now recommends (#I9) not to use Google Mail for their disregard to the protocols they claim to support.
  • Documentation and program output now /consistently/ claim that the rcfile must not have more than 0700 (u=rwx,g=,o=) permissions, but fetchmail will still silently accept additional g=x permissions for compatibility with previous 6.2.X and 6.3.X versions. Inconsistency (program 0710, manpage 0600) reported by Petr Uzel.
  • The --logfile documentation is now clearer about requiring detached daemon