update fetchmail to 6.3.20, tested by jasper@, lots of fixes including:

* CVE-2011-1947
- use timeouts for IMAP STARTTLS/POP3 STLS negotiation which could cause
  fetchmail freezes if a server was hanging.
* security improvements to defang X.509 certificate abuse
- require wildcard CN/subject alternative names to start with "*." not just "*"
- don't allow wildcards to match domain literals (such as 10.9.8.7) or
  wildcards in domain literals ("*.168.23.23").
- don't allow wildcarding top-level domains.
This commit is contained in:
sthen 2011-06-06 13:57:07 +00:00
parent 2df2738f20
commit 02c6211f1a
5 changed files with 17 additions and 44 deletions

View File

@ -1,9 +1,8 @@
# $OpenBSD: Makefile,v 1.125 2010/11/19 07:23:06 espie Exp $
# $OpenBSD: Makefile,v 1.126 2011/06/06 13:57:07 sthen Exp $
COMMENT= mail retrieval utility for POP2, POP3, KPOP, IMAP and more
DISTNAME= fetchmail-6.3.17
REVISION = 0
DISTNAME= fetchmail-6.3.20
CATEGORIES= mail
MASTER_SITES= ${MASTER_SITE_BERLIOS:=fetchmail/}

View File

@ -1,5 +1,5 @@
MD5 (fetchmail-6.3.17.tar.bz2) = ex1Ens3bYWTiLDKFStxKdQ==
RMD160 (fetchmail-6.3.17.tar.bz2) = qQjadrnXKd7nxkV7iaNCvmd71pA=
SHA1 (fetchmail-6.3.17.tar.bz2) = 2f/JpD8I+e6TlKlZg0YG60EUHUc=
SHA256 (fetchmail-6.3.17.tar.bz2) = 16Ac6sGEx+vemkKYLjEL7sRn3rWz0FxOQT5IzSYZyiQ=
SIZE (fetchmail-6.3.17.tar.bz2) = 1642598
MD5 (fetchmail-6.3.20.tar.bz2) = kXapAFqBaUb3ZndLxMvGQg==
RMD160 (fetchmail-6.3.20.tar.bz2) = EmIQDEp0qE6d2Wnkq0kCdxdS2+U=
SHA1 (fetchmail-6.3.20.tar.bz2) = eXtbAFB2OtERwkSrpgay/LTf2q0=
SHA256 (fetchmail-6.3.20.tar.bz2) = IulPEdiFy5MwoZf9gCF9RPZeawh+TUtNg+Vzrfwkqns=
SIZE (fetchmail-6.3.20.tar.bz2) = 1723623

View File

@ -1,7 +1,7 @@
$OpenBSD: patch-Makefile_in,v 1.16 2010/05/19 15:27:18 giovanni Exp $
--- Makefile.in.orig Thu May 6 09:56:13 2010
+++ Makefile.in Fri May 14 15:12:54 2010
@@ -1570,7 +1570,7 @@ info: info-recursive
$OpenBSD: patch-Makefile_in,v 1.17 2011/06/06 13:57:07 sthen Exp $
--- Makefile.in.orig Mon Jun 6 12:22:47 2011
+++ Makefile.in Mon Jun 6 14:18:29 2011
@@ -1616,7 +1616,7 @@ info: info-recursive
info-am:

View File

@ -1,21 +1,12 @@
$OpenBSD: patch-configure,v 1.17 2010/05/19 15:27:18 giovanni Exp $
--- configure.orig Thu May 6 09:56:07 2010
+++ configure Fri May 14 15:12:54 2010
@@ -8444,7 +8444,7 @@ $as_echo "$ac_try_echo") >&5
test "$cross_compiling" = yes ||
$as_test_x conftest$ac_exeext
}; then
- LIBINTL="$LIBINTL $LIBICONV"
+ LIBINTL="$LTLIBINTL $LTLIBICONV"
LTLIBINTL="$LTLIBINTL $LTLIBICONV"
gt_cv_func_gnugettext2_libintl=yes
@@ -12718,7 +12718,7 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
$OpenBSD: patch-configure,v 1.18 2011/06/06 13:57:07 sthen Exp $
--- configure.orig Mon Jun 6 12:22:44 2011
+++ configure Mon Jun 6 14:18:30 2011
@@ -9300,7 +9300,7 @@ $as_echo "#define HEIMDAL 1" >>confdefs.h
$as_echo "#define KERBEROS_V5 1" >>confdefs.h
CFLAGS="$CFLAGS -I/usr/include/kerberosV"
- LIBS="$LIBS -lasn1 -lkrb5 -lcom_err -lkafs"
+ LIBS="$LIBS -lkrb5"
elif krb5-config 2> /dev/null >/dev/null ; then
krb5_prefix=`krb5-config --prefix krb5`
{ $as_echo "$as_me:$LINENO: result: krb5-config points to kerberosV under $krb5_prefix" >&5
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config points to kerberosV under $krb5_prefix" >&5

View File

@ -1,17 +0,0 @@
$OpenBSD: patch-socket_c,v 1.2 2010/06/09 08:34:59 stsp Exp $
http://gitorious.org/fetchmail/fetchmail/commit/8476bffcb54f81d028bcd86e2a9090161738a980
--- socket.c.orig Fri Apr 30 01:29:05 2010
+++ socket.c Tue Jun 8 00:45:09 2010
@@ -1009,8 +1009,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
}
}
- if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK
-|| !_verify_ok)) {
+ if (!certck && !fingerprint &&
+ (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) {
report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n"));
}