update fetchmail to 6.3.20, tested by jasper@, lots of fixes including:
* CVE-2011-1947 - use timeouts for IMAP STARTTLS/POP3 STLS negotiation which could cause fetchmail freezes if a server was hanging. * security improvements to defang X.509 certificate abuse - require wildcard CN/subject alternative names to start with "*." not just "*" - don't allow wildcards to match domain literals (such as 10.9.8.7) or wildcards in domain literals ("*.168.23.23"). - don't allow wildcarding top-level domains.
This commit is contained in:
parent
2df2738f20
commit
02c6211f1a
@ -1,9 +1,8 @@
|
||||
# $OpenBSD: Makefile,v 1.125 2010/11/19 07:23:06 espie Exp $
|
||||
# $OpenBSD: Makefile,v 1.126 2011/06/06 13:57:07 sthen Exp $
|
||||
|
||||
COMMENT= mail retrieval utility for POP2, POP3, KPOP, IMAP and more
|
||||
|
||||
DISTNAME= fetchmail-6.3.17
|
||||
REVISION = 0
|
||||
DISTNAME= fetchmail-6.3.20
|
||||
CATEGORIES= mail
|
||||
MASTER_SITES= ${MASTER_SITE_BERLIOS:=fetchmail/}
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
MD5 (fetchmail-6.3.17.tar.bz2) = ex1Ens3bYWTiLDKFStxKdQ==
|
||||
RMD160 (fetchmail-6.3.17.tar.bz2) = qQjadrnXKd7nxkV7iaNCvmd71pA=
|
||||
SHA1 (fetchmail-6.3.17.tar.bz2) = 2f/JpD8I+e6TlKlZg0YG60EUHUc=
|
||||
SHA256 (fetchmail-6.3.17.tar.bz2) = 16Ac6sGEx+vemkKYLjEL7sRn3rWz0FxOQT5IzSYZyiQ=
|
||||
SIZE (fetchmail-6.3.17.tar.bz2) = 1642598
|
||||
MD5 (fetchmail-6.3.20.tar.bz2) = kXapAFqBaUb3ZndLxMvGQg==
|
||||
RMD160 (fetchmail-6.3.20.tar.bz2) = EmIQDEp0qE6d2Wnkq0kCdxdS2+U=
|
||||
SHA1 (fetchmail-6.3.20.tar.bz2) = eXtbAFB2OtERwkSrpgay/LTf2q0=
|
||||
SHA256 (fetchmail-6.3.20.tar.bz2) = IulPEdiFy5MwoZf9gCF9RPZeawh+TUtNg+Vzrfwkqns=
|
||||
SIZE (fetchmail-6.3.20.tar.bz2) = 1723623
|
||||
|
@ -1,7 +1,7 @@
|
||||
$OpenBSD: patch-Makefile_in,v 1.16 2010/05/19 15:27:18 giovanni Exp $
|
||||
--- Makefile.in.orig Thu May 6 09:56:13 2010
|
||||
+++ Makefile.in Fri May 14 15:12:54 2010
|
||||
@@ -1570,7 +1570,7 @@ info: info-recursive
|
||||
$OpenBSD: patch-Makefile_in,v 1.17 2011/06/06 13:57:07 sthen Exp $
|
||||
--- Makefile.in.orig Mon Jun 6 12:22:47 2011
|
||||
+++ Makefile.in Mon Jun 6 14:18:29 2011
|
||||
@@ -1616,7 +1616,7 @@ info: info-recursive
|
||||
|
||||
info-am:
|
||||
|
||||
|
@ -1,21 +1,12 @@
|
||||
$OpenBSD: patch-configure,v 1.17 2010/05/19 15:27:18 giovanni Exp $
|
||||
--- configure.orig Thu May 6 09:56:07 2010
|
||||
+++ configure Fri May 14 15:12:54 2010
|
||||
@@ -8444,7 +8444,7 @@ $as_echo "$ac_try_echo") >&5
|
||||
test "$cross_compiling" = yes ||
|
||||
$as_test_x conftest$ac_exeext
|
||||
}; then
|
||||
- LIBINTL="$LIBINTL $LIBICONV"
|
||||
+ LIBINTL="$LTLIBINTL $LTLIBICONV"
|
||||
LTLIBINTL="$LTLIBINTL $LTLIBICONV"
|
||||
gt_cv_func_gnugettext2_libintl=yes
|
||||
|
||||
@@ -12718,7 +12718,7 @@ cat >>confdefs.h <<\_ACEOF
|
||||
_ACEOF
|
||||
$OpenBSD: patch-configure,v 1.18 2011/06/06 13:57:07 sthen Exp $
|
||||
--- configure.orig Mon Jun 6 12:22:44 2011
|
||||
+++ configure Mon Jun 6 14:18:30 2011
|
||||
@@ -9300,7 +9300,7 @@ $as_echo "#define HEIMDAL 1" >>confdefs.h
|
||||
$as_echo "#define KERBEROS_V5 1" >>confdefs.h
|
||||
|
||||
CFLAGS="$CFLAGS -I/usr/include/kerberosV"
|
||||
- LIBS="$LIBS -lasn1 -lkrb5 -lcom_err -lkafs"
|
||||
+ LIBS="$LIBS -lkrb5"
|
||||
elif krb5-config 2> /dev/null >/dev/null ; then
|
||||
krb5_prefix=`krb5-config --prefix krb5`
|
||||
{ $as_echo "$as_me:$LINENO: result: krb5-config points to kerberosV under $krb5_prefix" >&5
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config points to kerberosV under $krb5_prefix" >&5
|
||||
|
@ -1,17 +0,0 @@
|
||||
$OpenBSD: patch-socket_c,v 1.2 2010/06/09 08:34:59 stsp Exp $
|
||||
|
||||
http://gitorious.org/fetchmail/fetchmail/commit/8476bffcb54f81d028bcd86e2a9090161738a980
|
||||
|
||||
--- socket.c.orig Fri Apr 30 01:29:05 2010
|
||||
+++ socket.c Tue Jun 8 00:45:09 2010
|
||||
@@ -1009,8 +1009,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, const
|
||||
}
|
||||
}
|
||||
|
||||
- if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK
|
||||
-|| !_verify_ok)) {
|
||||
+ if (!certck && !fingerprint &&
|
||||
+ (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) {
|
||||
report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n"));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user