fetchmail: Update to version 6.6.5
Commit Message
- Update from version 6.6.0 to 6.6.5
- No chyange to rootfile
- Changelog
6.6.5
SECURITY BUGFIX
* POP3 with RPA: fix calculation of buffer sizes to avoid buffer overflow
on long service challenges with long user IDs, which would smash our stack.
Triggering this requires that 1. RPA is enabled at compile time
(non-default, which is discouraged in autotools, and possible but not
documented nor supported in meson), and the username (--user option, or user
in the rcfile) contains @compuserve.com anywhere, and the server supports an
AUTH command without arguments (which is a non-standard local extension), and
that it offers RPA authentication in response to that command.
This was reported based on an incomplete semi-wrong AI report with an
incomplete fix "recommendation" by zhangph12138@outlook.com via
fetchmail-devel@. The fix suggested in that AI report was wrong, and
would happily crash a few lines later again. The fix deployed calculates
the buffer size of "workarea" variables based on the sizeof() of constituent
components.
BUGFIX
* Robustness: If RPA is enabled at compile time and POP3 is in use,
do not barf if @compuserve.com is in the remote site's username (what you'd
pass as --user, or user in the rcfile) and the remote site either does not
support an "AUTH" command without parameters (normally, one is required, but
some servers such as jpop and Cyrus allow AUTH to request the list of
supported authentication types as an extension; the standard way would be
a "CAPA" request instead), but try other authentication methods.
Found by code auditing in response to a bug report against rpa.c.
Note that enabling RPA is discouraged because it is based on the weak
MD5 crypto algorithm.
6.6.4
BUGFIX
* The IMAP client will now properly quote the folder name given with the
moveto rcfile option, or --moveto command-line option.
Report and bugfix contributed by Corben Dallas.
BUILD IMPROVEMENTS
* meson-based builds with wolfSSL should now also work when meson finds
the wolfssl package through cmake, instead of pkgconfig. This is unsupported
and depends on internal set(_wolfssl_includedir "...") in wolfSSL's
lib/cmake/*.cmake files, and works as of wolfSSL 5.9.1.
The supported way to build fetchmail with wolfSSL with meson is
to make sure that wolfSSL is found with pkgconfig, as in (change /path/to!)
meson setup --pkg-config-path /path/to/wolfssl/lib/pkgconfig
EXPERIMENTAL CHANGES - these are not documented anywhere else, only here:
* fetchmail supports AWS-LC 1.71 or newer, since its relicensing to
the Apache license v2.0. Note this requires you to distribute fetchmail
under terms of the GPLv3 because the GPLv2 is claimed incompatible
with Apache license (this is no different for OpenSSL 3 or newer,
or the one wolfSSL version that was GPLv3 licensed).
* fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable
(since 6.5.0, except when using AWS-LC where it is silently ignored),
which can be used to override the OpenSSL security level.
Fetchmail by default raises the security level to 2 if lower.
This variable can be used to lower it.
Use with extreme caution. Note that levels 3 or higher will frequently cause
incompabilities with servers because server-side data sizes are often too low.
Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.
* fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable
(since 6.5.0) that sets the cipher string (through two different OpenSSL
functions) for SSL and TLS versions up to TLSv1.2.
If setting the ciphers fails, fetchmail will not connect.
If not given, defaults to "HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" - note
that +RC4 is supposed to move the RC4 to the end of the list, not add it.
* fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable
(since 6.5.0) that sets the ciphersuites (a colon-separated list,
without + ! -) for TLSv1.3. If not given, defaults to the SSL library's
built-in list. If setting the ciphersuites fails, fetchmail refuses to
connect.
* NOTE the features above are simplistic. For instance, even though you
configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause
a connection abort.
6.6.3
COMPATIBILITY:
* fetchmail can now be built with OpenSSL 4.0.0 (tested as of -beta1).
6.6.2
BUGFIX:
* fetchmail 6.6.0 and 6.6.1 could not be configured without SSL, it would break
compiling sink.c. Fix compilation. Report by Toralf Förster, analysis and
different patch suggested by Holger Hoffstätte, fixes #86.
https://bugs.gentoo.org/967258 and
https://gitlab.com/fetchmail/fetchmail/-/issues/86
6.6.1
TRANSLATIONS were updated by these fine people (randomized order):
* sr: Мирослав Николић [Serbian]
* es: Cristian Othón Martínez Vera [Spanish]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/fetchmail | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -26,7 +26,7 @@ include Config
SUMMARY = Full-Featured POP and IMAP Mail Retrieval Daemon
-VER = 6.6.0
+VER = 6.6.5
THISAPP = fetchmail-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = fetchmail
-PAK_VER = 24
+PAK_VER = 25
DEPS =
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = bf308bfd1769b7092585d3af32aaef91206b315d87bd81794c9f04b65980e3cadd6a6c7ff1f5fd2c7ada0620dccecb14c3022224e17c5d075ea21e391408bdb8
+$(DL_FILE)_BLAKE2 = cceb7a0673f6aea76fe5619c0b6a4cd25566adc31b8d9a8e574b3abf8584107b882f71a63d5690ce76822044cc8a2dd431e44813002740ebcbd3cc55b4e9105f
install : $(TARGET)