From 02c6211f1a97fd6e464c62294a3481adc8bb28f5 Mon Sep 17 00:00:00 2001 From: sthen Date: Mon, 6 Jun 2011 13:57:07 +0000 Subject: [PATCH] update fetchmail to 6.3.20, tested by jasper@, lots of fixes including: * CVE-2011-1947 - use timeouts for IMAP STARTTLS/POP3 STLS negotiation which could cause fetchmail freezes if a server was hanging. * security improvements to defang X.509 certificate abuse - require wildcard CN/subject alternative names to start with "*." not just "*" - don't allow wildcards to match domain literals (such as 10.9.8.7) or wildcards in domain literals ("*.168.23.23"). - don't allow wildcarding top-level domains. --- mail/fetchmail/Makefile | 5 ++--- mail/fetchmail/distinfo | 10 +++++----- mail/fetchmail/patches/patch-Makefile_in | 8 ++++---- mail/fetchmail/patches/patch-configure | 21 ++++++--------------- mail/fetchmail/patches/patch-socket_c | 17 ----------------- 5 files changed, 17 insertions(+), 44 deletions(-) delete mode 100644 mail/fetchmail/patches/patch-socket_c diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile index 86a826f1eac..d2ac487d257 100644 --- a/mail/fetchmail/Makefile +++ b/mail/fetchmail/Makefile @@ -1,9 +1,8 @@ -# $OpenBSD: Makefile,v 1.125 2010/11/19 07:23:06 espie Exp $ +# $OpenBSD: Makefile,v 1.126 2011/06/06 13:57:07 sthen Exp $ COMMENT= mail retrieval utility for POP2, POP3, KPOP, IMAP and more -DISTNAME= fetchmail-6.3.17 -REVISION = 0 +DISTNAME= fetchmail-6.3.20 CATEGORIES= mail MASTER_SITES= ${MASTER_SITE_BERLIOS:=fetchmail/} diff --git a/mail/fetchmail/distinfo b/mail/fetchmail/distinfo index 634f171b24c..469853c2080 100644 --- a/mail/fetchmail/distinfo +++ b/mail/fetchmail/distinfo @@ -1,5 +1,5 @@ -MD5 (fetchmail-6.3.17.tar.bz2) = ex1Ens3bYWTiLDKFStxKdQ== -RMD160 (fetchmail-6.3.17.tar.bz2) = qQjadrnXKd7nxkV7iaNCvmd71pA= -SHA1 (fetchmail-6.3.17.tar.bz2) = 2f/JpD8I+e6TlKlZg0YG60EUHUc= -SHA256 (fetchmail-6.3.17.tar.bz2) = 16Ac6sGEx+vemkKYLjEL7sRn3rWz0FxOQT5IzSYZyiQ= -SIZE (fetchmail-6.3.17.tar.bz2) = 1642598 +MD5 (fetchmail-6.3.20.tar.bz2) = kXapAFqBaUb3ZndLxMvGQg== +RMD160 (fetchmail-6.3.20.tar.bz2) = EmIQDEp0qE6d2Wnkq0kCdxdS2+U= +SHA1 (fetchmail-6.3.20.tar.bz2) = eXtbAFB2OtERwkSrpgay/LTf2q0= +SHA256 (fetchmail-6.3.20.tar.bz2) = IulPEdiFy5MwoZf9gCF9RPZeawh+TUtNg+Vzrfwkqns= +SIZE (fetchmail-6.3.20.tar.bz2) = 1723623 diff --git a/mail/fetchmail/patches/patch-Makefile_in b/mail/fetchmail/patches/patch-Makefile_in index 17b40ed4b9f..facbba69690 100644 --- a/mail/fetchmail/patches/patch-Makefile_in +++ b/mail/fetchmail/patches/patch-Makefile_in @@ -1,7 +1,7 @@ -$OpenBSD: patch-Makefile_in,v 1.16 2010/05/19 15:27:18 giovanni Exp $ ---- Makefile.in.orig Thu May 6 09:56:13 2010 -+++ Makefile.in Fri May 14 15:12:54 2010 -@@ -1570,7 +1570,7 @@ info: info-recursive +$OpenBSD: patch-Makefile_in,v 1.17 2011/06/06 13:57:07 sthen Exp $ +--- Makefile.in.orig Mon Jun 6 12:22:47 2011 ++++ Makefile.in Mon Jun 6 14:18:29 2011 +@@ -1616,7 +1616,7 @@ info: info-recursive info-am: diff --git a/mail/fetchmail/patches/patch-configure b/mail/fetchmail/patches/patch-configure index 32928983132..35e58af2346 100644 --- a/mail/fetchmail/patches/patch-configure +++ b/mail/fetchmail/patches/patch-configure @@ -1,21 +1,12 @@ -$OpenBSD: patch-configure,v 1.17 2010/05/19 15:27:18 giovanni Exp $ ---- configure.orig Thu May 6 09:56:07 2010 -+++ configure Fri May 14 15:12:54 2010 -@@ -8444,7 +8444,7 @@ $as_echo "$ac_try_echo") >&5 - test "$cross_compiling" = yes || - $as_test_x conftest$ac_exeext - }; then -- LIBINTL="$LIBINTL $LIBICONV" -+ LIBINTL="$LTLIBINTL $LTLIBICONV" - LTLIBINTL="$LTLIBINTL $LTLIBICONV" - gt_cv_func_gnugettext2_libintl=yes - -@@ -12718,7 +12718,7 @@ cat >>confdefs.h <<\_ACEOF - _ACEOF +$OpenBSD: patch-configure,v 1.18 2011/06/06 13:57:07 sthen Exp $ +--- configure.orig Mon Jun 6 12:22:44 2011 ++++ configure Mon Jun 6 14:18:30 2011 +@@ -9300,7 +9300,7 @@ $as_echo "#define HEIMDAL 1" >>confdefs.h + $as_echo "#define KERBEROS_V5 1" >>confdefs.h CFLAGS="$CFLAGS -I/usr/include/kerberosV" - LIBS="$LIBS -lasn1 -lkrb5 -lcom_err -lkafs" + LIBS="$LIBS -lkrb5" elif krb5-config 2> /dev/null >/dev/null ; then krb5_prefix=`krb5-config --prefix krb5` - { $as_echo "$as_me:$LINENO: result: krb5-config points to kerberosV under $krb5_prefix" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config points to kerberosV under $krb5_prefix" >&5 diff --git a/mail/fetchmail/patches/patch-socket_c b/mail/fetchmail/patches/patch-socket_c deleted file mode 100644 index 9292eb9a1a4..00000000000 --- a/mail/fetchmail/patches/patch-socket_c +++ /dev/null @@ -1,17 +0,0 @@ -$OpenBSD: patch-socket_c,v 1.2 2010/06/09 08:34:59 stsp Exp $ - -http://gitorious.org/fetchmail/fetchmail/commit/8476bffcb54f81d028bcd86e2a9090161738a980 - ---- socket.c.orig Fri Apr 30 01:29:05 2010 -+++ socket.c Tue Jun 8 00:45:09 2010 -@@ -1009,8 +1009,8 @@ int SSLOpen(int sock, char *mycert, char *mykey, const - } - } - -- if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK --|| !_verify_ok)) { -+ if (!certck && !fingerprint && -+ (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) { - report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n")); - } -