From patchwork Tue Jun 30 11:15:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9982 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gqLDK08wdz3wpk for ; Tue, 30 Jun 2026 11:15:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "YE1" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4gqLDD4bbtz6wx for ; Tue, 30 Jun 2026 11:15:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gqLD95rSnz36WT for ; Tue, 30 Jun 2026 11:15:37 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gqLD33tGpz34Ks for ; Tue, 30 Jun 2026 11:15:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gqLD205j0z5Gk; Tue, 30 Jun 2026 11:15:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1782818130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPEHifxLjQ3uaFuvP1J11cv3AYl2L/Fyd/SHe2G4ozM=; b=PZVPPcWAfoWNzOVs40kDgTictp7t+fNcrl1/emyI37gItHeygH+dlIZ2GZ9Ii1e0PiJ2wQ 2BZOSaED89z3g4AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1782818130; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SPEHifxLjQ3uaFuvP1J11cv3AYl2L/Fyd/SHe2G4ozM=; b=Q5IsOQc691IjpONmDUK5HWPeRAY5bBijoiGpjf2G9Z9wBVvux7O1nn7yqFcqe0J5igpMQm WKhzjvABwonFssM9uIQOgv6DFbyfau75+3wNlSJoQmyuyJTg7aHLegbCDLju1kZBK29Csx 5WyTzrkkxem9Xubu4+a3o7TGTdgSrjskKxQmxdYVrRquaI/Jdz/GjgJWdrqjf1e5h3NCEn M1Q8NnOcQd6bxiToBaJJ0kLlbhVP+yhqeZ02yPOOWAP+Nzm3hJZPn458eR9mBJEg/nzqX9 eWr8SSvp2NvxDq8bUvXAMvfIDtgceyzSa2OSZceIwPvTfJM0BlMqDfAB9ksEGQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] fetchmail: Update to version 6.6.5 Date: Tue, 30 Jun 2026 13:15:18 +0200 Message-ID: <20260630111523.1271203-7-adolf.belka@ipfire.org> In-Reply-To: <20260630111523.1271203-1-adolf.belka@ipfire.org> References: <20260630111523.1271203-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 6.6.0 to 6.6.5 - No chyange to rootfile - Changelog 6.6.5 SECURITY BUGFIX * POP3 with RPA: fix calculation of buffer sizes to avoid buffer overflow on long service challenges with long user IDs, which would smash our stack. Triggering this requires that 1. RPA is enabled at compile time (non-default, which is discouraged in autotools, and possible but not documented nor supported in meson), and the username (--user option, or user in the rcfile) contains @compuserve.com anywhere, and the server supports an AUTH command without arguments (which is a non-standard local extension), and that it offers RPA authentication in response to that command. This was reported based on an incomplete semi-wrong AI report with an incomplete fix "recommendation" by zhangph12138@outlook.com via fetchmail-devel@. The fix suggested in that AI report was wrong, and would happily crash a few lines later again. The fix deployed calculates the buffer size of "workarea" variables based on the sizeof() of constituent components. BUGFIX * Robustness: If RPA is enabled at compile time and POP3 is in use, do not barf if @compuserve.com is in the remote site's username (what you'd pass as --user, or user in the rcfile) and the remote site either does not support an "AUTH" command without parameters (normally, one is required, but some servers such as jpop and Cyrus allow AUTH to request the list of supported authentication types as an extension; the standard way would be a "CAPA" request instead), but try other authentication methods. Found by code auditing in response to a bug report against rpa.c. Note that enabling RPA is discouraged because it is based on the weak MD5 crypto algorithm. 6.6.4 BUGFIX * The IMAP client will now properly quote the folder name given with the moveto rcfile option, or --moveto command-line option. Report and bugfix contributed by Corben Dallas. BUILD IMPROVEMENTS * meson-based builds with wolfSSL should now also work when meson finds the wolfssl package through cmake, instead of pkgconfig. This is unsupported and depends on internal set(_wolfssl_includedir "...") in wolfSSL's lib/cmake/*.cmake files, and works as of wolfSSL 5.9.1. The supported way to build fetchmail with wolfSSL with meson is to make sure that wolfSSL is found with pkgconfig, as in (change /path/to!) meson setup --pkg-config-path /path/to/wolfssl/lib/pkgconfig EXPERIMENTAL CHANGES - these are not documented anywhere else, only here: * fetchmail supports AWS-LC 1.71 or newer, since its relicensing to the Apache license v2.0. Note this requires you to distribute fetchmail under terms of the GPLv3 because the GPLv2 is claimed incompatible with Apache license (this is no different for OpenSSL 3 or newer, or the one wolfSSL version that was GPLv3 licensed). * fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable (since 6.5.0, except when using AWS-LC where it is silently ignored), which can be used to override the OpenSSL security level. Fetchmail by default raises the security level to 2 if lower. This variable can be used to lower it. Use with extreme caution. Note that levels 3 or higher will frequently cause incompabilities with servers because server-side data sizes are often too low. Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0. * fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable (since 6.5.0) that sets the cipher string (through two different OpenSSL functions) for SSL and TLS versions up to TLSv1.2. If setting the ciphers fails, fetchmail will not connect. If not given, defaults to "HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" - note that +RC4 is supposed to move the RC4 to the end of the list, not add it. * fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable (since 6.5.0) that sets the ciphersuites (a colon-separated list, without + ! -) for TLSv1.3. If not given, defaults to the SSL library's built-in list. If setting the ciphersuites fails, fetchmail refuses to connect. * NOTE the features above are simplistic. For instance, even though you configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause a connection abort. 6.6.3 COMPATIBILITY: * fetchmail can now be built with OpenSSL 4.0.0 (tested as of -beta1). 6.6.2 BUGFIX: * fetchmail 6.6.0 and 6.6.1 could not be configured without SSL, it would break compiling sink.c. Fix compilation. Report by Toralf Förster, analysis and different patch suggested by Holger Hoffstätte, fixes #86. https://bugs.gentoo.org/967258 and https://gitlab.com/fetchmail/fetchmail/-/issues/86 6.6.1 TRANSLATIONS were updated by these fine people (randomized order): * sr: Мирослав Николић [Serbian] * es: Cristian Othón Martínez Vera [Spanish] Signed-off-by: Adolf Belka --- lfs/fetchmail | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/fetchmail b/lfs/fetchmail index d88907db0..e3d4e1dd0 100644 --- a/lfs/fetchmail +++ b/lfs/fetchmail @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Full-Featured POP and IMAP Mail Retrieval Daemon -VER = 6.6.0 +VER = 6.6.5 THISAPP = fetchmail-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = fetchmail -PAK_VER = 24 +PAK_VER = 25 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = bf308bfd1769b7092585d3af32aaef91206b315d87bd81794c9f04b65980e3cadd6a6c7ff1f5fd2c7ada0620dccecb14c3022224e17c5d075ea21e391408bdb8 +$(DL_FILE)_BLAKE2 = cceb7a0673f6aea76fe5619c0b6a4cd25566adc31b8d9a8e574b3abf8584107b882f71a63d5690ce76822044cc8a2dd431e44813002740ebcbd3cc55b4e9105f install : $(TARGET)