Not much changed, it gained translations for Romanian and Serbian,
documentation fixes and saw some package config churn to make sure
FreeBSD links against the correct libssl.
ok kn
* CVE-2011-1947
- use timeouts for IMAP STARTTLS/POP3 STLS negotiation which could cause
fetchmail freezes if a server was hanging.
* security improvements to defang X.509 certificate abuse
- require wildcard CN/subject alternative names to start with "*." not just "*"
- don't allow wildcards to match domain literals (such as 10.9.8.7) or
wildcards in domain literals ("*.168.23.23").
- don't allow wildcarding top-level domains.
on signed char arch. http://www.fetchmail.info/fetchmail-SA-2010-01.txt
"This might be exploitable to inject code if
- - fetchmail is run in verbose mode
AND
- - the host running fetchmail considers char signed
AND
- - the server uses malicious certificates with non-printing characters
that have the high bit set
AND
- - these certificates manage to inject shell-code that consists purely of
printable characters.
It is believed to be difficult to achieve all this."
Make the APOP challenge parser more distrustful and have it reject challenges
that do not conform to RFC-822 msg-id format, in the hope to make mounting
man-in-the-middle attacks (MITM) against APOP a bit more difficult.
Detailed information:
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
A password disclosure vulnerability (CVE-2006-5867, fetchmail's using unsafe
logins or omitting TLS) and a denial of service vulnerability (CVE-2006-5974,
fetchmail crashes, dereferencing the null page, when rejecting a message sent
to an MDA).
Fetchmail 6.3.6 also fixes several regressions and long-standing bugs.
Details:
https://lists.berlios.de/pipermail/fetchmail-announce/2007-January/000042.html
tests & ok jasper@, simon@
This update includes security fixes for CVE-2005-2335, CVE-2005-4348
and CVE-2006-0321.
Take over maintainership. (With permission from old MAINTAINER fgsch@.)
Tested by Sigfred Håversen and aanriot@.
ok aanriot@, brad@
