The 6.3.26 release of fetchmail is available

The 6.3.26 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail> and
<http://sourceforge.net/projects/fetchmail/>.

The source archive is available at:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.26.tar.xz>
<http://sourceforge.net/projects/fetchmail/files/branch_6.3/fetchmail-6.3.26.tar.xz/download>

or in the older bzip2 format:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.26.tar.bz2>

Here are the release notes:

fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):

# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.

# CRITICAL BUG FIX for setups using "mimedecode":
* The mimedecode feature failed to ship the last line of the body if it was
  encoded as quoted-printable and had a MIME soft line break in the very last
  line.  Reported by Lars Hecking in June 2011.

  Bug introduced on 1998-03-20 when the mimedecode support was added by ESR
  before release 4.4.1 through code contributed by Henrik Storner.
  Workaround for older releases: do not use mimedecode feature.

  Earlier versions of this NEWS file claimed this bug fixed in fetchmail-6.3.23,
  but it was not.

The 6.3.25 release of fetchmail is available

The 6.3.25 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail> and
<http://sourceforge.net/projects/fetchmail/>.

The source archive is available at:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.25.tar.xz>
<http://sourceforge.net/projects/fetchmail/files/branch_6.3/fetchmail-6.3.25.tar.xz/download>

or in the older bzip2 format:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.25.tar.bz2>

Here are the release notes:

fetchmail-6.3.25 (released 2013-03-18, 26149 LoC):

# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
* They have stopped accepting submissions and consider themselves an archive.

# BUG FIXES
* Fix a memory leak in out-of-memory error condition while handling plugins.
  Report and patch by John Beck (found with Parfait static code analyzer).
* Fix a NULL pointer dereference in out-of-memory error condition while handling
  plugins.
  Report and patch by John Beck (found with Parfait static code analyzer).

# CHANGES
* Improved reporting when SSL/TLS X.509 certificate validation has failed,
  working around a not-so-recent swapping of two OpenSSL error codes, and
  a practical impossibility to distinguish broken certification chains from
  missing trust anchors (root certificates).

fetchmail 7.0.0-alpha4 alpha preview release

Greetings,

in an effort to get sufficient testing, I have released the next alpha
version of fetchmail 7.0.0. This merges post-6.3.22 changes in, to
fix some regressions and plug the OpenSSL memory leak that prompted the
6.3.24 release. The changelog is included below.

Note that I plan to discontinue MAPI support, it has zero user interest.
 I have not received offers of Exchange test accounts, I have not
received test reports from users, and I can only conclude that while it
may have looked a good idea when the Google Summer Of Code project to
add MAPI support was started, this is a stillborn.

I will spend no more efforts in providing MAPI support in fetchmail
unless there are sustainable offers to help out with test accounts, test
reports, and so on.

The alpha version is available for download from these sites:
<http://home.pages.de/~mandree/fetchmail/>
<https://sourceforge.net/projects/fetchmail/files/branch_7-alpha/>

It is not available for download from BerliOS, its file release system
is too cumbersome to use.

The fetchmail sources are also available via Git.

The corresponding git tag is SNAPSHOT_7-0-0-alpha4, the branch is
"master". The repository browsers (these show the clone URLs):
<http://gitorious.org/fetchmail>
<http://git.berlios.de/cgi-bin/cgit.cgi/fetchmail/>

The 6.3.24 release of fetchmail is available

The 6.3.24 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail> and

The source archive is available at - in XZ format:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.24.tar.xz>
<https://sourceforge.net/projects/fetchmail/files/branch_6.3/>
(The sourceforge.net link may take a while before the files become
downloadable.)

Or, if you prefer the previous BZip 2 format:
<http://prdownload.berlios.de/fetchmail/fetchmail-6.3.24.tar.bz2>

Here are the release notes:

fetchmail-6.3.24 (released 2012-12-23, 26108 LoC):

# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR.
Should a 7.0 release be made earlier, chances are that the 6.3.X branch
is abandoned and its changes be folded into the 7.0 release, with changes
after 6.3.24 not available on their own in a newer 6.3.X release.

# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
  They have stopped accepting submissions and consider themselves an archive.

# CRITICAL AND REGRESSION FIXES
* Plug a memory leak in OpenSSL's certificate verification callback.
  This would affect fetchmail configurations running with SSL in daemon mode
  more than one-shot runs.
  Reported by Erik Thiele, and pinned by Dominik Heeg,
  fixes Debian Bug #688015.

The 6.3.23 release of fetchmail is available

The 6.3.23 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail>.

The source archive is available at:
<http://developer.berlios.de/projects/fetchmail/fetchmail-6.3.23.tar.xz>

or, for a slightly bigger download in the older .tar.bz2 form:

<http://developer.berlios.de/projects/fetchmail/fetchmail-6.3.23.tar.bz2>

Here are the release notes:

fetchmail-6.3.23 (released 2012-12-10, 26106 LoC):

# NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR.
Should a 7.0 release be made earlier, chances are that the 6.3.X branch
is abandoned and its changes be folded into the 7.0 release, with changes
after 6.3.22 not available on their own in a newer 6.3.X release.

# REGRESSION FIXES
* Fix compilation with OpenSSL implementations before 0.9.8m that lack
  SSL_CTX_clear_options. Patch by Earl Chew.
  Note that the use of older OpenSSL versions with fetchmail is unsupported and
  *not* recommended.

# BUG FIXES
* Fix combination of --plugin and -f -. Patch by Alexander Zangerl,
  to fix Debian Bug#671294.
* Clean up logfile vs. syslog handling, and in case logfile overrides
  syslog, send a message to the latter stating where logging goes.

fetchmail 7.0.0-alpha3 alpha preview release

Greetings,

in an effort to get sufficient testing, I have released the next alpha
version of fetchmail 7.0.0. This merges post-6.3.20 changes in, to
fix security (CVE-2012-3482) and otherwise important bugs; I am
including the changelog below.

7.0.0-alpha2+MAPI was not vulnerable to CVE-2011-3389.

The snapshot is without MAPI this time, because I cannot test the MAPI feature.

If you want to help out, please arrange an Exchange account for me that
I can send test messages to that I can retrieve via MAPI and IMAP.

The alpha version isn't available through BerliOS, but only from this
DOWNLOAD: <http://home.pages.de/~mandree/fetchmail/>

The corresponding git tag is SNAPSHOT_7-0-0-alpha3, the branch is
"master". The repository is at <http://gitorious.org/fetchmail>.

Please send feedback to fetchmail-devel <at> lists.berlios.de.

Happy fetches!
Matthias

--------------------------------------------------------------------------------
fetchmail-7.0.0 (not yet released):

NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED!

The 6.3.22 release of fetchmail is available

The 6.3.22 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail>.

The source archive is available at:
<http://developer.berlios.de/projects/fetchmail/fetchmail-6.3.22.tar.bz2>

or if you prefer XZ archives:
<http://developer.berlios.de/projects/fetchmail/fetchmail-6.3.22.tar.xz>

Add .asc to the file names to obtain detached GnuPG signatures.

Here are the release notes:

fetchmail-6.3.22 (released 2012-08-29, 26077 LoC):

# SECURITY FIXES
* for CVE-2012-3482:
  NTLM: fetchmail mistook an error message that the server sent in response to
  an NTLM request for protocol exchange, tried to decode it, and crashed while
  reading from a bad memory location.
  Also, with a carefully crafted NTLM challenge packet sent from the server, it
  would be possible that fetchmail conveyed confidential data not meant for the
  server through the NTLM response packet.
  Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
  NTLM authentication in case of error.
  See fetchmail-SA-2012-02.txt for further details.
  Reported by J. Porter Clark.

* for CVE-2011-3389:
  SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure 

fetchmail 6.3.21 critical fix release

The 6.3.21 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail>.

The source archive is available at:
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=18743>

Here are the release notes:

fetchmail-6.3.21 (released 2011-08-21, 26011 LoC):

# CRITICAL BUG FIX
* The IMAP client no longer inserts NUL bytes into the last line of a message
  when it is not closed with a LF or CRLF sequence. Reported by Antoine Levitt.
  As a side effect of the fix, and in order to avoid a full rewrite, fetchmail
  will now CRLF-terminate the last line fetched through IMAP, even if it is
  originally not terminated by LF or CRLF. This bears no relevance if your
  messages end up in mbox, but adds line termination for storages (like Maildir)
  that do not require that the last line be LF- or CRLF-terminated.

# CONTRIB/ addition
* There is a patch against fetchnews's source, contrib/rawlog.patch, that can
  log (and hexdump non-printing characters) raw socket data to a file. It proved
  useful to debug Antoine's bug described above.

By popular demand, diffs from the previous release have been omitted.

_______________________________________________
fetchmail-announce mailing list
fetchmail-announce <at> lists.berlios.de

fetchmail 7.0.0-alpha2+MAPI alpha preview release

Greetings,

in an effort to get sufficient testing, I have released the next alpha
version of fetchmail 7.0.0.

This version ports the MAPI support from GSoC 2008 forward onto the
current branch and onto openchange 0.11, but is untested -- I have no
Exchange account and cannot test beyond "it compiles, with massive
warnings".  Chances are it works on 32-bit versions of Ubuntu 11.04
(natty narwhal), but chances are MAPI support does not work at all.

I need help to bring this forward.

The alpha version isn't available through BerliOS, but only from
DOWNLOAD: <http://home.pages.de/~mandree/fetchmail/>

The corresponding git tag is SNAPSHOT_7-0-0-alpha2+MAPI, the branch is
"master".

Please send feedback to fetchmail-devel <at> lists.berlios.de.

Happy fetches!
Matthias

--------------------------------------------------------------------------------

fetchmail-7.0.0 (not yet released):

NOTE THIS IS AN ALPHA RELEASE THAT HAS NOT BEEN THOROUGHLY TESTED!

fetchmail security announcement fetchmail-SA-2011-01 (CVE-2011-1947)

fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode

Topics:		fetchmail denial of service in STARTTLS protocol phases

Author:		Matthias Andree
Version:	1.0
Announced:	2011-06-06
Type:		Unguarded blocking I/O can cause indefinite application hang
Impact:		Denial of service
Danger:		low

CVE Name:	CVE-2011-1947
CVSSv2:		(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
CVSS scores:	4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
		This is calculated without Environmental Score.
URL:		http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail releases 5.9.9 up to and including 6.3.19

Not affected:	fetchmail release 6.3.20 and newer

Corrected in:	2011-05-26 Git, among others, see commit
		7dc67b8cf06f74aa57525279940e180c99701314

		2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)

		2011-06-06 fetchmail 6.3.20 release tarball

fetchmail 6.3.20 security fix release

The 6.3.20 release of fetchmail is now available at the usual locations,
including <http://developer.berlios.de/projects/fetchmail>.

The source archive is available at:
<http://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=18583>

Here are the release notes:

fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):

# SECURITY BUG FIXES
* CVE-2011-1947:
  STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
  set timeout (default five minutes) now. This was reported missing, with
  observed fetchmail freezes beyond a week, by Thomas Jarosch.
     SSL-wrapped connections were unaffected by this timeout, so users of older
  versions can force ssl-wrapped connections -- if supported by the server --
  with the --ssl command line or ssl rcfile option.
  See fetchmail-SA-2011-01.txt for further details.

# BUG FIXES
* IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
  new messages and most of the range searches result in nothing. Instead, split
  the long response to make the IMAP driver think that there are multiple lines
  of response. (Sunil Shetye)
* Do not print "skipping message" for old messages even in verbose mode. If
  there are too many old messages, the logs just get filled without any real
  activity. (Sunil Shetye) (suggested by Yunfan Jiang)
* Build: fetchmail now always uses its own MD5 implementation rather than trying
  to find a system library with matched header. The library and header variants