|Commit found by message id
Fri, 12 Feb 2010
[ 09:54:07 mandree ] |
mail Batch mail retrieval utility for IMAP/POP3/ETRN/ODMR
Update to new upstream release 6.3.14. Changes:
# SECURITY FIXES
* SSL/TLS certificate information is now also reported properly on computers
that consider the "char" type signed. Fixes malloc() buffer overrun.
Workaround for older versions: do not use verbose mode. CVE-2010-0562
See fetchmail-SA-2010-01.txt for details, including a minimal patch.
# BUG FIXES
* The IMAP client no longer skips messages from several IMAP servers including
Dovecot if fetchmail's "idle" is in use. Causes were that fetchmail (a)
ignored some untagged responses when it should not (b) relied on EXISTS
messages in response to EXPUNGE, which aren't mandated by RFC-3501 (the IMAP
standard) and aren't sent by Dovecot either.
Fix by Sunil Shetye (the fix also consolidates IMAP response handling,
improving overall robustness of the IMAP client), bug report and testing by
Matt Doran, with further hints from Timo Sirainen.
* The SMTP client now recovers from errors (such as servers dropping the
connection after errors) when sending an RSET command.
Fix by Sunil Shetye. Report by James Moe.
* The IMAP client now uses "SEARCH UNSEEN" rather than "SEARCH UNSEEN NOT
DELETED" again on IMAP2, to fix a regression in fetchmail 6.2.5 reported by
Will Stringer in June 2004. (Sunil Shetye)
* The IMAP client now uses "SEARCH UNSEEN UNDELETED" on IMAP4 and IMAP4r1
servers (Sunil Shetye).
* Workaround: The IMAP client now falls back to "FETCH n:m FLAGS" if the server
does not support "SEARCH". (Sunil Shetye)
* The IMAP client now requests message numbers in batches of 1,000 to avoid
problems if there are more than 1860 unseen messages. (Sunil Shetye)
Note that this wasn't security relevant because fetchmail would only read up
to the maximum buffer size and leave the remainder of the string unread, going
out of synch afterwards.
* Stricter validation of IMAP responses containing byte or message counts.
* Only include gssapi.h if we're not including gssapi/gssapi.h, to fix a FreeBSD
compiler warning about gssapi.h being obsolete.
* The README.SSL document was revised for grammar, spelling, and clarity.
Courtesy of Robert Mullin.
# TRANSLATION UPDATES
* [it] Italian, by Vincenzo Campanella
Approved by: Corey Halpin (port maintainer)
Approved by: miwi@ (mentor)
Number of ports [& non-ports] in this commit: 1
show all files
7 vulnerabilities affecting 15 ports have been reported in the past 14 days
* - modified, not new