beck's shiny new validator found its first victim. bluhm saw warnings
from fetchmail's verify callback and once we investigated, it was quick
to segfault since it doesn't bother to check return values. Failures are
more visible to the callback than they previously were. Fixing this
mess is more work than it's worth, so let it use the old garbage.
with & ok beck, tested & ok bluhm
Not much changed, it gained translations for Romanian and Serbian,
documentation fixes and saw some package config churn to make sure
FreeBSD links against the correct libssl.
ok kn
Instead of relying on an untested code path that uses version fixed
TLS client methods and the made-up TLSv1_3_client_method() in case
TLS1_3_VERSION is defined, we can just use the code path provided for
the OpenSSL 1.1 API. While it seems reasonable to assume that such a
client method might be available, version fixed methods are deprecated.
TLSv1_3_client_method() never existed in either LibreSSL or OpenSSL.
This will make sure that the port works correctly now and will
continue to build and work correctly once LIBRESSL_HAS_TLS1_3
becomes publicly visible.
ok jsing
Follow the upstream recommendations for packagers and switch to
multi-packages:
devel/gettext -> devel/gettext,-runtime
devel/gettext-tools -> devel/gettext,-tools
(new) devel/gettext,-textstyle
updates are triggered. This is following the struct if_data ABI change a few
days ago; if_msghdr has an embedded if_data. Some may be unnecessary, but
some are definitely needed and bumps are cheaper than debugging.
Problem reported with wpa_supplicant by Mikolaj Kucharski.
/usr/local/bin/python. Also check that python-tkinter is installed.
From Pascal Stumpf with tweaks from me.
(Python + tkinter aren't RUN_DEPENDs as many fetchmail installations
don't use this and it's a heavy dependency chain).
* CVE-2011-1947
- use timeouts for IMAP STARTTLS/POP3 STLS negotiation which could cause
fetchmail freezes if a server was hanging.
* security improvements to defang X.509 certificate abuse
- require wildcard CN/subject alternative names to start with "*." not just "*"
- don't allow wildcards to match domain literals (such as 10.9.8.7) or
wildcards in domain literals ("*.168.23.23").
- don't allow wildcarding top-level domains.
on signed char arch. http://www.fetchmail.info/fetchmail-SA-2010-01.txt
"This might be exploitable to inject code if
- - fetchmail is run in verbose mode
AND
- - the host running fetchmail considers char signed
AND
- - the server uses malicious certificates with non-printing characters
that have the high bit set
AND
- - these certificates manage to inject shell-code that consists purely of
printable characters.
It is believed to be difficult to achieve all this."
