From patchwork Mon Jan 13 21:41:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8412 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4YX5L75sPNz3xHD for ; Mon, 13 Jan 2025 21:41:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4YX5L66yt7z4cX; Mon, 13 Jan 2025 21:41:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4YX5L66J5cz30b2; Mon, 13 Jan 2025 21:41:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4YX5L400Ftz2y0r for ; Mon, 13 Jan 2025 21:41:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4YX5L33t8Yzmh; Mon, 13 Jan 2025 21:41:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1736804475; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vrKuvHhGSpENGwBhdmmjgLSMiEYsdwDFkyGlLccCikg=; b=Mtc3Glt2CypIhWN454rQftHB7AW0P0Q2KJqgB00PeujpJmkEvXsyOE2j2k1UE5oxz/UxIv r71S/QNu80bOjsCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1736804475; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vrKuvHhGSpENGwBhdmmjgLSMiEYsdwDFkyGlLccCikg=; b=jzPi6FpjBDBgfMkcFDu43We+bqajaXrKZnR+hx47N//9LKgPQFHIPjumAFYerVfnroY0/M 91Ohm6aNf81Q50ytrqhy84PVgUm74h8PhIrfJjjZzY26j4RiLT/o1mxr5kRxJqfuGSi8bw w3s5jzWPSa2ghUdaf/vmuva8Qg/LndFtgForpq5nGG/ux9IBal08Ah85r7ecvENu1xIslZ MWaBapHQ0rC7gXXbQYIu2RZCTXhEm0s3lM1cQ2MyEZz4D+g2f3AlFRzLfXwPCRyTuPDhez nS8Y/SPin8utmmXAXcwP3KhZUfjINc+EQfK6Q7r1UfqWOXBSjHszsSL3fc6ZHQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] fetchmail: Update to version 6.5.2 Date: Mon, 13 Jan 2025 22:41:04 +0100 Message-ID: <20250113214108.2221728-3-adolf.belka@ipfire.org> In-Reply-To: <20250113214108.2221728-1-adolf.belka@ipfire.org> References: <20250113214108.2221728-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: AXCZOLVSFMGR6FAHI5RRXZZTKRKEYAY3 X-Message-ID-Hash: AXCZOLVSFMGR6FAHI5RRXZZTKRKEYAY3 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 6.4.39 to 6.5.2 - Update of rootfile not required - Changelog 6.5.2 ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS (There are no plans to remove features from a 6.5.X release, but they may be removed from a 6.6.0 or newer release.) * Support for operating systems that are not sufficiently POSIX compliant may be removed or operation on such systems may be suboptimal for future releases. * Future fetchmail releases may require compilers and operating systems that adhere to standards issued 2011 or later. (See README for requirements.) * Future fetchmail releases may tighten up security and lean towards it a bit more by, for instance, implementing recommendations from RFC-7817 or RFC-8314. This may, for instance, require that TLS v1.1 or newer be used. * The MX and host alias DNS lookups that fetchmail performs in multidrop mode are based on assumptions that are rarely met in practice, somewhat defective, deprecated and may be removed from a future fetchmail version. They have never supported IPv6 (including IPv6-mapped IPv4). Non-DNS based alias keywords such as "aka" will remain in fetchmail. * The monitor and interface options may be removed from a future fetchmail version as they are not reasonably portable across operating systems. * POP2 is obsolete, support will be removed from a future fetchmail version. * IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a future fetchmail version. * RPOP is obsolete, support will be removed from a future fetchmail release. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release. * The "envelope Received" option may be removed from a future release, because the Received header was never meant to be machine-readable, the format varies widely, and various other differences in behavior make parsing Received an unreliable undertaking. The envelope option as such will remain though, in order to support Delivered-To, X-Envelope-To, X-Original-To and similar. See also . * The "protocol auto" default inside fetchmail may be removed from a future fetchmail release. Explicit configuration of the protocol is recommended. * Kerberos IV support may be removed from a future fetchmail release. * Kerberos 5 support may be removed from a future fetchmail release. (Although GSS-API support should remain as long as it's viable.) * The --principal option may be removed from a future fetchmail release. * SIGHUP wakeup support may be removed from a future fetchmail release and cause fetchmail to terminate - it was broken for many years. * The maintainer may migrate fetchmail to C++, and impose further requirements (dependencies), such as Boost or other class libraries. * The softbounce option default will change to "false" in the next release. * The --bsmtp - mode of operation may be removed in a future release. * Fetchmailconf is deprecated and will be removed from a future release. * Fetchmail does not guarantee compatibility with EOL OpenSSL versions. Support for end-of-life OpenSSL versions may be removed even from patchlevel releases. * Nonstandard or by today's standards insufficiently secure authentication schemes (such as OPIE, RPA) may be removed from future fetchmail versions. * Nonstandard protocol extensions (such as SDPS/*ENV) may be removed from future fetchmail versions. * --auth ssh may be removed from future fetchmail versions. Use --auth implicit. * Future fetchmail releases (even minor ones) may change undocumented parts of the .netrc parser in incompatible ways to enhance compatibility with typical ftp(1) .netrc parsers. KNOWN BUGS AND WORKAROUNDS * Fetchmail does not handle messages without Message-ID header well (See sourceforge.net bug #780933) * Fetchmail currently uses 31-bit signed integers in several places where unsigned and/or wider types should have been used. Please report issues with this. * BSMTP is mostly untested and errors can cause corrupt output. * Fetchmail does not track pending deletes across crashes. * The command line interface is sometimes a bit stubborn, for instance, fetchmail -s doesn't work with a daemon running. * Linux systems may return duplicates of an IP address in some circumstances if no or no global IPv6 addresses are configured. (No workaround. Ubuntu Bug#582585, Novell Bug#606980.) * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error messages. This will not be fixed, because the maintainer has no Kerberos 5 server to test against. Use GSSAPI. * For IMAP connections, fetchmail will print "will idle after poll" in verbose mode even though --idle is not given, as an artifact of the 6.4.22 security fixes. Fetchmail means "could idle after poll", but this would have required another loop through the translators. * aka ... hostnames are not considered for upstream server X.509 certificate verification, aka was meant for alias detection with multidrop mailboxes. * When compiled against wolfSSL, note that it is not a feature-complete emulation of OpenSSL. Main functionality is given, but some minor details may not work the same as in OpenSSL builds. * When compiled against LibreSSL (due to licensing, this only works on OpenBSD where LibreSSL is part of the OS), note that LibreSSL is somewhat behind recent OpenSSL versions, so prefer OpenSSL to LibreSSL if you can. * FreeBSD's OPIE implementation cannot be found when using a C++ compiler. This should not affect the normal build, which uses a C compiler. * Using ccache may trigger "implicit fallthrough" warnings because the comments that, for instance, GCC understands, are removed by ccache's separate preprocessing. Fixing this portably requires C++17. * Fetchmail's RFC-2047 encoder (used for localized Subject: lines of locally- originated e-mail messages) is simplistic and violates the RFC-2047 requirement that multibyte characters must not be split across encoded-words. TRANSLATIONS: fetchmail's translations were updated, courtesy of: * cs: Petr Pisar [Czech] * sr: Мирослав Николић (Miroslav Nikolić) [Serbian] CHANGES: * Minor documentation consistency fixes (versions, dates). 6.5.1 BUG AND PORTABILITY FIXES: * Drop two wolfSSL compile-time checks that were for older 6.4 or for future 7.0 releases and broke compilation with wolfSSL 5.7.4. Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4 * Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message (FreeBSD defines %#p to be %p, on many other platforms it's undefined behavior). * Add regex_helper.c to list of files that contain translatable strings, which contains two strings we missed to translate. CHANGES: * Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1") for version switch and base it on the claimed OpenSSL version of the crypto SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike. TRANSLATIONS: fetchmail's messages were translated by these fine people: * sq: Besnik Bleta [Albanian] * es: Cristian Othón Martínez Vera [Spanish] * ro: Remus-Gabriel Chelu [Romanian] * fr: Frédéric Marchal [French] * pl: Jakub Bogusz [Polish] * sv: Göran Uddeborg [Swedish] * ja: Takeshi Hamasaki [Japanese] * eo: Keith Bowes [Esperanto] 6.5.0 SECURITY FIX: * .netrc now may not have more than 0700 permission if it contains passwords, else fetchmail will warn and ignore the file. REMOVED FEATURES * fetchmail no longer supports using an MDA as SMTP fallback. This is required to make deliveries consistent. The --enable-fallback configure option is gone. * fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have been removed and behave as though "--sslproto auto" had been given. INCOMPATIBLE CHANGES * fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525) * fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option. * fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option. * fetchmailconf now requires Python 3.7.0 or newer. * fetchmail, with --logfile, now logs time stamps into the file, in localtime and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through the environment variables LC_TIME (or LC_ALL) and TZ. Contributed by Holger Hoffstätte. * fetchmail sets the OPENSSL security level to 2 by default. Override is possible from an environment variable, see EXPERIMENTAL CHANGES below. * The ca, da, en_GB, id, it, nl, ru, zh_CN translations have been disabled, they are too far behind. CHANGED REQUIREMENTS * fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with XSI extension) compliant system. In particular, older fetchmail versions had workarounds or replacement code for several functions standardized in the Single Unix Specification v3, these have been removed. Hence: - The trio/ library has been removed from the distribution. - The libesmtp/getaddrinfo.? library has been removed from the distribution. - The KAME/getnameinfo.c file has been removed from the distribution. * fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL or wolfSSL, at a minimum OpenSSL v3.0.9 or wolfSSL v5.7.2. TRANSLATIONS: fetchmail's messages were translated by these fine people: * cs: Petr Pisar [Czech] * eo: Keith Bowes [Esperanto] * es: Cristian Othón Martínez Vera [Spanish] * fr: Frédéric Marchal [French] * ja: Takeshi Hamasaki [Japanese] * ro: Remus-Gabriel Chelu [Romanian] * sv: Göran Uddeborg [Swedish] * sq: Besnik Bleta [Albanian] * pl: Jakub Bogusz [Polish] BUG FIXES * fetchmail can now report mailbox sizes of 2^31 octets and beyond (2 GibiB). This required C99 support (for the long long type). Fixes Debian Bug#873668, reported by Andreas Schmidt. * fetchmail now defines its OpenSSL API level to 3.0.0 so as to expose the 3.0.0 APIs from OpenSSL. * The .netrc parser no longer permits "machine" after "default". * Add manpage info on the .netrc syntax, as ftp(1) is not standardized and may not be installed. Fixes Launchpad Bug #1976361 reported by Bill Yikes. * Received: lines now return GMT time if the tzoffset cannot be represented as whole minutes. Reported by @rriddicc via Gitlab #49. * If fetchmail was running localized, generated an error e-mail message locally, and if the selected translation would require the Subject: line to wrap inside an RFC-2047 encoded word (=?UTF-8?Q?...?=), the wrapped encoded-word was not indented, thus not marked as a continuation line. * SSL error handling was improved, fetchmail now consistently clears the thread/SSL error queue before SSL I/O operations and checks SSL_get_error afterwards. The SSL_connect() error handling has been revised to log more consistently. CHANGES * When fetchmail attempts to log out from an IMAP4 server and the server messes up its responses (it is supposed to send an untagged * BYE and a tagged A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than reporting a protocol error. We don't intend to chat any more so the protocol violation is harmless, and we know the server cannot send more untagged status responses. Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20. * The configure script now spends more effort for getting --with-ssl right, by running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS macro to obtain run-time library path setting flags. * For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option do not match, emit a warning and continue. Closes Gitlab #31. * There is now a --idletimeout feature contributed by Eric Durand, to permit setting a shorter timeout for the --idle option, because many servers violate the protocol (requiring 30 minutes) and hang up sooner than the 28 minutes fetchmail waits before refreshing IDLE. GitLab merge request !35. * There is now a --forceidle feature to force idle mode even if not advertised in the server capabilities. This is a dangerous option, use it carefully. Courtesy of Eric Durand, GitLab merge request !39. * There is now a --moveto feature (only feasible in IMAP) that, instead of flushing mail, moves it to a user-specified folder. This is to assist with archiving, or when providers (G...) break the IMAP model. Courteously provided by Damjan Jovanovic. * rcfile parsing errors are now reported in more detail, and with -vv mode, also lead to a non-importable Python dump of what was obtained, for debugging. * fetchmail's --auth option ssh was renamed to implicit, to make clear that it does *NOT* imply any particular type or features of the --plugin. --auth ssh will be understood for a while for compatibility but fetchmail will report it as implicit. * fetchmail no longer warns about port/service mismatches with/without ssl option when a "plugin" is in use because fetchmail cannot know whether the plugin talks SSL or STARTTLS/STLS. Fixes Debian Bug#1076604. * fetchmail re-executes itself if the .netrc file's modification change is found to be newer at the beginning of a new run. * fetchmail can now use other digest algorithms than MD5 for the --sslfingerprint option. To use, specify the algorithm's name in curly braces as prefix in the finger print, say, --sslfingerprint '{SHA256}00:01:[...]:1F'. This will also switch the algorithm for printing. All algorithms supported by the TLS/SSL library can be specified. Fixes Gitlab issue #19, Debian Bug#700266. EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to Postfix's "medium" list, "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH". * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. * fetchmail can be built with meson 1.30 or newer . fetchmail is not currently written in a way that supports unity (amalgamated) builds. Signed-off-by: Adolf Belka --- lfs/fetchmail | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/fetchmail b/lfs/fetchmail index 6beb0db74..942babf4b 100644 --- a/lfs/fetchmail +++ b/lfs/fetchmail @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Full-Featured POP and IMAP Mail Retrieval Daemon -VER = 6.4.39 +VER = 6.5.2 THISAPP = fetchmail-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = fetchmail -PAK_VER = 17 +PAK_VER = 18 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 2d03f6668d2882e7dd1d4e83e8643a2a4c81576a143c75ff1b24327873fa6112fa313f9723373a268e04697b76b3b638cbbd7a04c21cba946cd1532b6aaf201d +$(DL_FILE)_BLAKE2 = f0877550b05a68bd32a34f48eea10aaa210a0ed4d22261aaf4b886cbdc3578180d3be6e9d5f69eaec6421712153b5a8d21a9416ad272d7ce942836773cde1dec install : $(TARGET)