fetchmail-friends
[Top] [All Lists]

[fetchmail]fetchmail 6.3.2 stable release with security relevant bugfixes

2006-01-22 06:17:15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

I am announcing the release of fetchmail 6.3.2.

This release fixes a denial of service bug/fetchmail crash after sending
a bounce, adds a Maillennium (Comcast) workaround and fixes other bugs.
(The security announcement will be mailed separately.)

This is a recommended upgrade for all users of any previous fetchmail versions.

The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=8784>

These are the relevant changes in 6.3.2 since 6.3.1,
unless otherwise noted, changes to this release were made by Matthias Andree.

# SECURITY FIX IN THIS RELEASE
* CVE-2006-0321: Fix segfault or bus error after bouncing a message.  This bug
  was introduced into 6.3.0 when removing alloca(); it caused fetchmail to free
  random memory.  Reported by Nathaniel W. Turner, Debian Bug#348747.
  See fetchmail-SA-2006-01.txt

# DEPRECATED FEATURES AND MAJOR INCOMPATIBLE CHANGE ADVANCE WARNINGS
* The --enable-fallback (fall back to MDA if MTA unavailable) may be removed
  from a future fetchmail release.

# INCOMPATIBLE CHANGES
* Automatically disable the POP3 TOP command if the greeting string contains
  "Maillennium POP3/PROXY server", which is used by comcast and known to
  truncate messages after 80 kByte. Fall back to RETR, and complain if we had
  used TOP otherwise (the warning is printed only once per server in daemon
  mode).  Suggested by Ed Wilts.
  *Note* that this means messages are marked read on these servers, which is a
  deviation from how 6.3.1 behaved, but we have no alternative, comcast haven't
  fixed this bug in years.  Preventing the loss of the remainder of the message
  justifies this incompatible fix.
* fetchmail, since 6.3.0, requires write permission to the directory holding the
  idfile. See the amendment in the 6.3.0 MAJOR INCOMPATIBLE CHANGES section
  below for details. The manual page was updated.

# CHANGES RELEVANT TO PACKAGERS
* The outdated BUGS document was removed from the distribution.
* Added fetchmail-SA-2006-01.txt to the distribution.

# BUG FIXES
* SMTP/LMTP cleanup to fix these two bugs:
  - switch back to SMTP after having tried LMTP hosts (multiple smtphost hosts)
  - switch back to LMTP after sending a bounce.
  The patch removes the global state variable that was the root of this problem.
  Patch by Sunil Shetye. (MA)
* Don't complain about fetchall keep in --configdump mode. Bug introduced in
  6.3.0.
* fetchmailconf.py: Fix novice help for Poll interval and fetchall.
  Reported by Justin Pryzby, Debian Bug #344978.
* Some verbose output disappeared in debug mode. Adding further -v options would
  alternate between verbose and debug mode. debug mode now comprises all verbose
  output, and adding more -v options does not switch back from debug to verbose
  mode.
* fetchmail.man: Fix accented characters in Héctor García's name. Merged from
  downstream debian/patches/01_man_page.dpatch.
* Add missing --help text for "--sslcertck" option.
* fetchmailconf.py: Accept --help and --version.
* fetchmail --version  now prints the copyright notice.
* don't complain about READ-ONLY IMAP folders in --fetchall --keep mode.
  Reported Alexander Zangerl, Debian Bug#348964.
* the RPM .spec file now generates a -debuginfo package on newer RPM versions.

Regards,

- -- 
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFD04UzvmGDOQUufZURApk+AJ46zXfGAd0jHsbxziZ7JQpPugjJKwCeM2xW
DSAxh7uWlnM7Teolv4wF+BE=
=hrZ0
-----END PGP SIGNATURE-----

_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends

<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail]fetchmail 6.3.2 stable release with security relevant bugfixes, Matthias Andree <=