fetchmail 6.3.17
# SECURITY FIX
* CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
external input (mail headers and UID). When a multi-character locale (such as
UTF-8) was in use, this could cause memory exhaustion and thus a denial of
service, because fetchmail's report.c functions assumed that non-success of
[v]snprintf was due to insufficient buffer size allocation. It would then
repeatedly reallocate a larger buffer and fail formatting again.
See fetchmail-SA-2010-02.txt.
# FEATURES
* Fetchmail now supports a --sslcertfile
file (a file that contains trusted CA certificates). Since these bundled CA
files do not require c_rehash to be run, they are easier to use and immune to
OpenSSL library updates that affect the hash function.
* Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
environment variable to force loading the default SSL CA certificate
locations even if --sslcertfile or --sslcertpath is used.
If neither option is in effect, fetchmail loads the default locations.
# REGRESSION FIX
* Fix string handling in rcfile scanner, which caused fetchmail to misparse a
run control file in certain circumstances. Fixes BerliOS bug #14257.
Patch by Michael Banack. This fixes a regression introduced before 6.3.0.
# BUG FIXES
* Plug memory leak when using a "defaults" entry in the run control file.
* Do not print SSL certificate mismatches unless verbose or --sslcertck is
enabled.
* Do not lose "set invisible" in fetchmailconf. (Michael Barnack)
# CHANGES
* Usability: SSL certificate chains are fully printed in -v -v mode, and there
are now helpful pointers to --sslcertpath and c_rehash for "unable to get
local issuer certificate" and self-signed certificates -- these usually hint
to missing root signing CAs in the certs directory.
* Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
* Memory allocation failures will now cause abnormal program abort (SIGABRT),
no longer an exit with unspecified code.
# DOCUMENTATION
* Fix table of global option to read "set softbounce" where there used to be a
2nd copy of "set spambounce". Patch by Michael Banack, BerliOS Bug #17067.
* In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X
to 1.0.0 upgrade in particular) may require running c_rehash.
# TRANSLATION UPDATES
[zh_CN] Chinese/simplified (Ji Zheng-Yu)
[cs] Czech (Petr Pisar)
[nl] Dutch (Erwin Poeze)
[fr] French (Frédéric Marchal)
[de] German
[id] Indonesian (Andhika Padmawan)
[it] Italian (Vincenzo Campanella)
[ja] Japanese (Takeshi Hamasaki)
[pl] Polish (Jakub Bogusz)
[sk] Slovak (Marcel Telka)
[vi] Vietnamese (Clytie Siddall)
# KNOWN BUGS AND WORKAROUNDS:
(this section floats upwards through the NEWS file so it stays with the
current release information - however, it was stuck with 6.3.8 for a while)
* fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* BSMTP is mostly untested and errors can cause corrupt output.
* Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
64-bit mode. Either compile 32-bit code or use GCC to compile 64-bit
fetchmail. Note that fetchmail doesn't take advantage of 64-bit code,
so compiling 32-bit SPARC code should not cause any difficulties.
* fetchmail does not track pending deletes over crashes
* the command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running
Downloads (~1,56 Mb)_http://download.berli...6.3.17.tar.bz2