fetchmail-friends
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[fetchmail]fetchmail 6.3.1 stable release with security relevant bugfixes

2005-12-19 04:57:29
from [Matthias Andree] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I am announcing the release of fetchmail 6.3.1.

This release fixes a denial of service bug/fetchmail crash in multidrop
mode and several other annoyances, see below for a list of bugs fixed.

This is a recommended upgrade for all users of any previous fetchmail
versions. Distributors are sought to check opportunity to offer 6.3.1 as
upgrade for 6.2.X or previous releases.

The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=8405>

The SMTP/LMTP bug recently discussed on the fetchmail-devel mailing list
remains unfixed, I preferred the quick security fix over delaying the
release to have all fixes in. We still have the chance to a 6.3.2
release later :-)

These are the relevant changes in 6.3.1 since 6.3.0:

# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
  are obsolete, deprecated and may be removed from a future fetchmail version.
  They have never supported IPv6 (including IPv6-mapped IPv4) anyhow. (MA)
* The monitor and interface options may be removed from a future fetchmail
  version as they are not sufficiently portable. (MA)
* POP2 is obsolete.
  Support for POP2 may be removed from a future fetchmail version. (MA)
* RPOP is obsolete, support may be removed from a future fetchmail release. (MA)
* --sslcertck may become a default setting in a future fetchmail version. (MA)
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
  is deprecated and may be removed from a future release. (MA)

# SECURITY FIX IN THIS RELEASE
* CVE-2005-4348 Fix segmentation fault (null pointer dereference) in
  multidrop mode with headerless email.  See fetchmail-SA-2005-03.txt.
  Reported by Daniel Drake, patch by Sunil Shetye. (MA)

# OTHER BUG FIXES, DOCUMENTATION AND TRANSLATION UPDATES
* Fix broken default port in POP2. Patch by Stanislav Brabec, SUSE [CZ]. (MA)
* Fix manual page, some lines starting with ' were escaped by \&.
  Reported by Simon Barner. (MA)
* Ship with gettext-0.14.3 again, as 6.2.9-rc10 did. Found by Sunil Shetye. (MA)
* Actually set default SSL certificate path if --sslcertpath is unset.
  Reported by Heino Tiedemann and Rob MacGregor. (MA)
* Remove bogus Netscape IMAP4rev1 Service >= 3.6 warning about BODY[TEXT]
  that we are not using. Patch by Sunil Shetye. (MA)
* Plug potential memory and socket leak when polling multiple folders or when
  the upstream sends bogus message sizes.  Patch by Sunil Shetye. (MA)
* Update Catalan translation, by Ernest Adrogué Calveras. (MA)
* Fix segfault (null pointer dereference) on some operating systems with
  fetchmail's obsolete DNS MX/host alias lookups in multidrop mode.
  Patch by Dr.-Ing. Andreas Haakh. (MA)
* Close SMTP sockets early, to reduce resource usage, trigger earlier delivery
  with some MTAs and avoid SIGPIPE (SIG 13) when the SMTP listener gets bored
  and drops the connection after timeout.  Patch by Sunil Shetye. (MA)
* Don't treat hitting a fetch limit as error.  Patch by Sunil Shetye. (MA)
* Fix negative "messages left on server" on idle/repoll with fetchlimit.
  Patch by Sunil Shetye. (MA)
* Properly track logout stage.  Patch by Sunil Shetye. (MA)
* Preserve error conditions across postconnect script.  Sunil Shetye. (MA)
* Do not trash destination domain if multiple messages are forwarded into the
  same SMTP/LMTP connection. Reported by Joachim Feise, Berlios Bug #5849. (MA)
* Manual page: Add "-md5" to "openssl x509" example in --sslfingerprint
  documentation, since OpenSSL 0.9.8 changed the default to SHA1.
  Suggested by Jason White. (MA)
* Cope with servers that return UID information in response to non-UID
  RFC822.{SIZE|HEADER} requests. Reported by Jason White.
  Patch suggestion by by Sunil Shetye, simplified by MA.

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDppmVvmGDOQUufZURAsmjAJ4hRWPQf/xFiW6Uf0hscZqjLL1JywCfZqcx
HWL8U9SWHyOOQY1tqM4xDys=
=iql6
-----END PGP SIGNATURE-----

_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail]fetchmail 6.3.1 stable release with security relevant bugfixes, Matthias Andree <=
Previous by Date:  [fetchmail]fetchmail 6.2.5.5 legacy release fixes Denial of Service bug, Matthias Andree
Next by Date:  [fetchmail]forwarding to a remote SMTP server, S. Palmer
Previous by Thread:  [fetchmail]fetchmail 6.2.5.5 legacy release fixes Denial of Service bug, Matthias Andree
Next by Thread:  [fetchmail]forwarding to a remote SMTP server, S. Palmer
Indexes:  [Date] [Thread] [Top] [All Lists]