- Update to 6.5.7
* More fixes for SMTP bugs and others
## BUGFIXES:
* When authenticating to an SMTP server, the AUTH LOGIN method (which didn't
become a proposed standard, and is only the third method fetchmail would try,
if CRAM-MD5 and PLAIN weren't offered) required that the server returned
a 334 code followed by a blank and by a decodable base64 challenge we ignored
anyways. This is in line with RFC 4952.
However, to improve compatibility, fetchmail now accepts anything that
starts with "334 " and disregards the remainder of the line.
At the same time, AUTH LOGIN was deprecated. AUTH PLAIN should be available
everywhere AUTH LOGIN is, and is specified in IETF RFC 4616.
* When authenticating to an SMTP server, i. e. esmtpname/esmtppassword are
defined, check for errors, and skip servers that do not understand EHLO,
because we cannot negotiate supported authentication schemes with them.
This should avoid attempting to send a lot of messages and see them rejected.
* When authenticating to an SMTP server, do not send client abort "*" when
we receive any other server reply but 334.
* Extend 6.5.6's RFC-5321 address-literal fix to MAIL FROM. This might
apply when we only have a server's IP address and need to quality
addresses without domain. Fixes Debian Bug#1080025.
* SMTP AUTH can now look up passwords from the .netrc file - for that,
fetchmail's esmtpname setting must match the login for the given host in
.netrc. Fixes Debian Bug#1056651 by Ticker Berkin.
* Improve the GSSAPI (Kerberos V) build, which was pretty hard to get working.
This was improved. Recommendation:
- For autoconf builds (./configure), be sure to have the desired krb5-config
executable early on $PATH before running ./configure.
- For meson builds, be sure to list the path to your krb5-gssapi.pc file on
PKG_CONFIG_PATH. (meson will fall back to krb5-config, so if that's on PATH,
OBS-URL: https://build.opensuse.org/request/show/1312359
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=167
- Update to 6.5.6 fixes [bsc#1251194,CVE-2025-61962]
* Rebased fetchmail-add-passwordfile-and-passwordfd-options.patch
* Rebased fetchmail-add-query_to64_outsize-utility-function.patch
* Rebased fetchmail-bump-max-passwordlen-to-1bytes.patch
* Rebased fetchmail-give-each-ctl-it-s-own-copy-of-password.patch
* Rebased fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch
* Rebased fetchmail-re-read-passwordfile-on-every-poll.patch
* Rebased fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
* SECURITY BUGFIX:
* fetchmail-SA-2025-01.txt: CVE pending assignment by MITRE
An SMTP server advertising EHLO and AUTH, and if fetchmail is configured to
authenticate (esmtpname and esmtppassword given and non-empty), the server
might crash fetchmail by sending a "334" response without further blank to
fetchmail's AUTH request. This is in violation of applicable RFC-4952 though.
Fetchmail now detects this situation and reports it separately as
malformed server reply.
Fetchmail 6.5.6 has been released without waiting for translation updates
or CVE identifier, these will be provided in followup releases.
* BUGFIXES:
* RFC-5321: When the --smtpaddress, --smtphost, --smtpname, -D or -S argument
is an numeric address literal such as 192.0.2.2 or 2001:0DB8::4321, properly
format that as such in the SMTP RCPT command as user@[192.0.2.2] or
user@[IPv6:2001:0DB8::4321].
* When printing output on the console while fetching mail, do not intersperse
another copy of our program name and date in the middle of a log line.
Workaround for older versions: --logfile /dev/tty (might also use
--logfile /dev/stderr) - but note this changes buffering behavior and may
output to appear later and without ticker marks.
OBS-URL: https://build.opensuse.org/request/show/1312017
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=165
- Upgrade to 6.5.1
* Drop two wolfSSL compile-time checks that were for older 6.4 or for future
7.0 releases and broke compilation with wolfSSL 5.7.4.
Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4
* Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message
(FreeBSD defines %#p to be %p, on many other platforms it's undefined
behavior).
* Add regex_helper.c to list of files that contain translatable strings,
which contains two strings we missed to translate.
* Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1")
for version switch and base it on the claimed OpenSSL version of the crypto
SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike.
* Several translations added
- Rebased fetchmail-6.3.8-smtp_errors.patch
- Rebased fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch
- Rebased fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch
- Rebased fetchmail-add-imap-oauthbearer-support.patch
- Rebased fetchmail-add-passwordfile-and-passwordfd-options.patch
- Rebased fetchmail-add-query_to64_outsize-utility-function.patch
- Rebased fetchmail-bump-max-passwordlen-to-1bytes.patch
- Rebased fetchmail-give-each-ctl-it-s-own-copy-of-password.patch
- Rebased fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch
- Rebased fetchmail-re-read-passwordfile-on-every-poll.patch
- Rebased fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
- Rebased fetchmailconf-no-more-future.patch
OBS-URL: https://build.opensuse.org/request/show/1227336
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=159
- update to 6.4.38:
* Tighten OpenSSL and wolfSSL version requirements again. See
README.SSL.
* Distributors providing older versions that they backport
security fixes for may want to patch socket.c but remember
to redirect support to your distribution's support channels.
The fetchmail maintainer only supports functionally
unmodified builds with publicly available SSL/TLS library
versions.
* fetchmail will refuse to build against OpenSSL 1.0.2 older
than 1.0.2u, or wolfSSL older than 5.6.2. It will warn about
OpenSSL older than 3.0.9, or between 3.1.0 and 3.1.4,
or wolfSSL older than 5.6.6.
- Update to 6.4.37:
- Update to 6.4.36:
- disable opie support
- When an SMTP receiver refuses delivery, a message would be
in /etc and restoring them while an RPM update.
- Try to fix ./configure --with-ssl=... for systems that have
multiple OpenSSL versions installed. Issues reported by
- The netrc parser now reports its errors to syslog or logfile
- Bump wolfSSL minimum required version to 5.2.0 to pull in
- Using OpenSSL 1.* before 1.1.1n elicits a compile-time
- Using OpenSSL 3.* before 3.0.2 elicits a compile-time
- configure.ac was tweaked in order to hopefully fix
cross-compilation issues report, and different patch
* Bump wolfSSL minimum required version to 5.1.1 to pull in
* Always create fetchmail group, even if the user is already
present, as a leftover from Leap 15.2 upgrade. This may happen
OBS-URL: https://build.opensuse.org/request/show/1164526
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=157
- update to 6.4.31
* Bugfixes:
- Try to fix ./configure --with-ssl=... for systems that have
multiple OpenSSL versions installed. Issues reported by
Dennis Putnam.
- The netrc parser now reports its errors to syslog or logfile
when appropriate, previously it would always log to stderr.
- Add error checking to .netrc parser.
* Changes:
- manpage: use .UR/.UE macros instead of .URL for URIs.
- manpage: fix contractions. Found with FreeBSD's igor tool.
- manpage: HTML now built with pandoc -> python-docutils
(manServer.pl was dropped)
OBS-URL: https://build.opensuse.org/request/show/989820
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=135
- update to 6.4.30:
* Breaking changes:
- Bump wolfSSL minimum required version to 5.2.0 to pull in
security fix.
* Changes:
- Using OpenSSL 1.* before 1.1.1n elicits a compile-time
warning.
- Using OpenSSL 3.* before 3.0.2 elicits a compile-time
warning.
- configure.ac was tweaked in order to hopefully fix
cross-compilation issues report, and different patch
suggested
* Translations.:
- ro: Updated Romanian translation.
OBS-URL: https://build.opensuse.org/request/show/973653
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=131
- update to 6.5.25:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.
* Added an example systemd unit file and instructions to contrib/systemd/
which runs fetchmail as a daemon with 5-minute poll intervals.
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
see INSTALL and README.SSL. This is considered experimental.
Feedback solicited.
* Bison 3.8 dropped yytoknum altogether, breaking compilation due to a
warning workaround. Remove the cast of yytoknum to void. This may cause
a compiler warning to reappear with older Bison versions.
* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3
certificate in its trust store because OpenSSL by default prefers the
untrusted certificate and fails.
* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
- drop fetchmail-bison-3.8.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/940000
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=122
- Update to 6.4.22: [bsc#1190069, CVE-2021-39272]
* OPENSSL AND LICENSING NOTE:
- fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual
OpenSSL/SSLeay license to Apache License v2.0, which is
considered incompatible with GPL v2 by the FSF. For
implications and details, see the file COPYING.
* SECURITY FIXES:
- CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections,
without --ssl and with nonempty --sslproto, meaning that
fetchmail is to enforce TLS, and when the server or an attacker
sends a PREAUTH greeting, fetchmail used to continue an
unencrypted connection. Now, log the error and abort the
connection. --Recommendation for servers that support
SSL/TLS-wrapped or "implicit" mode on a dedicated port
(default 993): use --ssl, or the ssl user option in an rcfile.
- On IMAP and POP3 connections, --auth ssh no longer prevents
STARTTLS negotiation.
- On IMAP connections, fetchmail does not permit overriding
a server-side LOGINDISABLED with --auth password any more.
- On POP3 connections, the possibility for RPA authentication
(by probing with an AUTH command without arguments) no longer
prevents STARTTLS negotiation.
- For POP3 connections, only attempt RPA if the authentication
type is "any".
* BUG FIXES:
- On IMAP connections, when AUTHENTICATE EXTERNAL fails and we
have received the tagged (= final) response, do not send "*".
- On IMAP connections, AUTHENTICATE EXTERNAL without username
will properly send a "=" for protocol compliance.
OBS-URL: https://build.opensuse.org/request/show/923570
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=120
- Update to 6.4.20: [bsc#1188875, CVE-2021-36386]
* CVE-2021-36386: DoS or information disclosure in some configurations.
When a log message exceeds c. 2 kByte in size, for instance,
with very long header contents, and depending on verbosity
option, fetchmail can crash or misreport each first log message
that requires a buffer reallocation. fetchmail then reallocates
memory and re-runs vsnprintf() without another call to va_start(),
so it reads garbage. The exact impact depends on many factors
around the compiler and operating system configurations used and
the implementation details of the stdarg.h interfaces of the two
functions mentioned before.
OBS-URL: https://build.opensuse.org/request/show/909104
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=117
- update to 6.4.18:
* fetchmailconf: fetchmail 6.4.16 added --sslcertfile to the configuration dump,
but fetchmailconf support was incomplete in Git 7349f124 and it could not
parse sslcertfile, thus the user settings editor came up empty with console
errors printed. Fix configuration parser in fetchmailconf.
* fetchmailconf: do not require fetchmail for -V. do not require Tk (Tkinter)
for -d option. This is to fail more gracefully on incomplete installs.
* TLS code: remove OPENSSL_NO_DEPRECATED macros to avoid portability issues
with OpenSSL v3 - these are for development purposes, not production.
* TLS futureproofing: use SSL_use_PrivateKey_file instead of
SSL_use_RSAPrivateKey_file, the latter will be deprecated with OpenSSL v3,
and the user's key file might be something else than RSA.
* IMAP client: it used to leak memory for username and password when trying
the LOGIN (password-based) authentication and encountered a timeout situation.
* dist-tools/getstats.py: also counts lines in *.py files, shown above.
* fetchmail.man: now mentions that you may need to add --ssl when specifying
a TLS-wrapped port.
* fetchmailconf: --version (-V) now prints the Python version in use.
OBS-URL: https://build.opensuse.org/request/show/883119
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=109
- update to 6.4.16:
* fetchmail's --configdump, and fetchmailconf, lacked support for
the sslcertfile option.
* fetchmail --version [fetchmail -V] now queries and prints the
SSL/TLS library's "SSL default trusted certificate" file or
directory (mind the word "default"), where the OpenSSL-compatible
TLS implementation will look for trusted root, meaning
certification authority (CA), certificates.
* fetchmail --version now prints version of the OpenSSL library
that it was compiled against, and that it is using at runtime,
and also the OPENSSL_DIR and OPENSSL_ENGINES_DIR (if available).
OBS-URL: https://build.opensuse.org/request/show/876575
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=107
- update to 6.4.14:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
* Errors about lock file (= pidfile) creation could be lost in daemon
configurations (-d option, or set daemon) when using syslog. Now they are also
logged to syslog. Found verifying a pidfile creation issue on 6.4.12 that was
previously reported by Alex Hall of Automatic Distributors.
* If the lock file cannot be removed (no write permission on directory), try
to truncate it, and if that fails, report error.
* If the pidfile was non-default, fetchmail -q or --quit would malfunction and
claim no other fetchmail were running, because it did not read the
configuration files or merge the command line options, thus it would look for
the PID in the wrong file.
OBS-URL: https://build.opensuse.org/request/show/856963
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=103
- update to 6.4.12:
# REGRESSION FIX:
* configure: fetchmail 6.4.9 and 6.4.10 would miss checking for TLS v1.2 and
TLS v1.3 support if AC_LIB_LINKFLAGS came up with something such as
/path/to/libssl.so, rather than -lssl. (For instance on FreeBSD)
* configure: fetchmail 6.4.9's configure was unable to pick up OpenSSL
if it wasn't announced by pkg-config, for instance, on FreeBSD
OBS-URL: https://build.opensuse.org/request/show/832383
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=100
- Update fetchmail.keyring file
- Use %{_prefix}/lib instead of %{_libexecdir}
- update to 6.4.8:
* Add a test program fm_realpath, and a t.realpath script, neither to be
installed. These will test resolution of the current working directory.
* TRANSLATION UPDATES
* Plug memory leaks when parts of the configuration (defaults, rcfile, command
line) override one another.
* fetchmail terminated the placeholder command string too late and included
garbage from the heap at the end of the string. Workaround: don't use place-
holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging
Gitlab merge request !5 in order to fix an input buffer overrun.
Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
* Fetchmail now checks for errors when trying to read the .idfile
* Fetchmail's error messages that reports that the defaults entry isn't the
first was made more precise. It could be misleading if there was a poll or
skip statement before the defaults.
* Fetchmail documentation was updated to require OpenSSL 1.1.1.
OpenSSL 1.0.2 reached End Of Life status at the end of the year 2019.
Fetchmail will tolerate, but warn about, 1.0.2 for now on the assumption that
distributors backport security fixes as the need arises.
Fetchmail will also warn if another SSL library that is API-compatible
with OpenSSL lacks TLS v1.3 support.
* If the trust anchor is missing, fetchmail refers the user to README.SSL.
* The AC_DECLS(getenv) check was removed, its only user was broken and not
accounting for that AC_DECLS always defines HAVE_DECL_... to 0 or 1, so
fetchmail never declared a missing getenv() symbol (it was testing with
#ifdef). Remove the backup declaration. getenv is mandated by SUSv2 anyways.
* fetchmailconf now supports Python 3 and currently requires the "future"
OBS-URL: https://build.opensuse.org/request/show/829815
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=96
- Update to 6.4.1 [bsc#1152964]
## REGRESSION FIXES:
* The bug fix Debian Bug#941129 was incomplete and caused
- a regression in the default file locations, so that fetchmail was
no longer able to find its configuration files in some situations.
- a regression under _FORTIFY_SOURCE where PATH_MAX > minimal _POSIX_PATH_MAX.
- Update to 6.4.0
## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY REQUIRE RECONFIGURATION
* Fetchmail no longer supports SSLv2.
* Fetchmail no longer attempts to negotiate SSLv3 by default,
even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
TLS version, with STLS/STARTTLS (it would previously force TLSv1.0 with
STARTTLS). If the OpenSSL version used at build and run-time supports these
versions, --sslproto ssl3 and --sslproto ssl3+ can be used to re-enable SSLv3.
Doing so is discouraged because the SSLv3 protocol is broken.
While this change is supposed to be compatible with common configurations,
users may have to and are advised to change all explicit --sslproto ssl2
(change to newer protocols required), --sslproto ssl3, --sslproto tls1 to
--sslproto auto, so that they can benefit from TLSv1.1 and TLSv1.2 where
supported by the server.
The --sslproto option now understands the values auto, ssl3+, tls1+, tls1.1,
tls1.1+, tls1.2, tls1.2+, tls1.3, tls1.3+ (case insensitively), see CHANGES
below for details.
* Fetchmail defaults to --sslcertck behaviour. A new option --nosslcertck to
override this has been added, but may be removed in future fetchmail versions
in favour of another configuration option that makes the insecurity in using
this option clearer.
## SECURITY FIXES
* Fetchmail prevents buffer overruns in GSSAPI authentication with user names
beyond c. 6000 characters in length. Reported by Greg Hudson.
OBS-URL: https://build.opensuse.org/request/show/737166
OBS-URL: https://build.opensuse.org/package/show/server:mail/fetchmail?expand=0&rev=88
