pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2012Q3] pkgsrc/mail



Module Name:    pkgsrc
Committed By:   spz
Date:           Sun Nov  4 17:12:30 UTC 2012

Modified Files:
        pkgsrc/mail/fetchmail [pkgsrc-2012Q3]: Makefile PLIST distinfo
        pkgsrc/mail/fetchmailconf [pkgsrc-2012Q3]: Makefile
Added Files:
        pkgsrc/mail/fetchmail/patches [pkgsrc-2012Q3]: patch-Makefile.in
Removed Files:
        pkgsrc/mail/fetchmail/patches [pkgsrc-2012Q3]: patch-ntlmsubr.c

Log Message:
Pullup ticket #3958 - requested by morr
mail/fetchmail: security update

Revisions pulled up:
- mail/fetchmail/Makefile                                       1.180
- mail/fetchmail/PLIST                                          1.14
- mail/fetchmail/distinfo                                       1.47
- mail/fetchmail/patches/patch-Makefile.in                      1.1
- mail/fetchmail/patches/patch-ntlmsubr.c                       deleted
- mail/fetchmailconf/Makefile                                   1.85

-------------------------------------------------------------------
   Module Name: pkgsrc
   Committed By:        morr
   Date:                Sat Nov  3 22:50:23 UTC 2012

   Modified Files:
        pkgsrc/mail/fetchmail: Makefile PLIST distinfo
        pkgsrc/mail/fetchmailconf: Makefile
   Added Files:
        pkgsrc/mail/fetchmail/patches: patch-Makefile.in
   Removed Files:
        pkgsrc/mail/fetchmail/patches: patch-ntlmsubr.c

   Log Message:
   Update fetchmail and fetchmailconf to version 6.3.22.

   # SECURITY FIXES
   * for CVE-2012-3482:
     NTLM: fetchmail mistook an error message that the server sent in response 
to
     an NTLM request for protocol exchange, tried to decode it, and crashed 
while
     reading from a bad memory location.
     Also, with a carefully crafted NTLM challenge packet sent from the server, 
it
     would be possible that fetchmail conveyed confidential data not meant for 
the
     server through the NTLM response packet.
     Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort
     NTLM authentication in case of error.
     See fetchmail-SA-2012-02.txt for further details.
     Reported by J. Porter Clark.
   * for CVE-2011-3389:
     SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure
     against a certain kind of attack against cipher block chaining 
initialization
     vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS).
     Whether this creates an exploitable situation, depends on the server and 
the
     negotiated ciphers.
     As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing
     SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
     NOTE that this can cause connections to certain non-conforming servers to
     fail, in which case you can set the environment variable
     FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when 
starting
     fetchmail to re-instate the compatibility option at the expense of 
security.
     Reported by Apple Product Security.
     For technical details, refer to <http://www.openssl.org/~bodo/tls-cbc.txt>.
     See fetchmail-SA-2012-01.txt for further details.

   # BUG FIX
   * The Server certificate: message in verbose mode now appears on stdout like 
the
     remainder of the output. Reported by Henry Jensen, to fix Debian Bug 
#639807.
   * The GSSAPI-related autoconf code now matches gssapi.c better, and uses
     a different check to look for GSS_C_NT_HOSTBASED_SERVICE.
     This fixes the GSSAPI-enabled build on NetBSD 6 Beta.

   # CHANGES
   * On systems where SSLv2_client_method isn't defined in OpenSSL (such as
     newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't
     reference it (to fix the build) and if configured, print a run-time error
     that the OS does not support SSLv2. Fixes Debian Bug #622054,
     but note that that bug report has a more thorough patch that does away with
     SSLv2 altogether.
   * The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now
     under the more relaxed CC BY-ND 3.0 license (the noncommercial clause
     was dropped). The Creative Commons address was updated.
   * The Python-related Makefile.am parts were simplified to avoid an automake
     1.11.X bug around noinst_PYTHON, Automake Bug #10995.
   * Configuring fetchmail without SSL now triggers a configure warning,
     and asks the user to consider running configure --with-ssl.

   # WORKAROUNDS
   * Some servers, notably Zimbra, return A1234 987 FETCH () in response to
     a header request, in the face of message corruption.  fetchmail now treats
     these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat.
   * Some servers, notably Microsoft Exchange, return "A0009 OK FETCH 
completed."
     without any header in response to a header request for meeting reminder
     messages (with a "meeting.ics" attachment). fetchmail now treats these as
     transient errors.  Report by John Connett, Patch by Sunil Shetye.

   # TRANSLATION UPDATES
   * [cs]    Czech, by Petr Pisar
   * [de]    German
   * [fr]    French, by Frédéric Marchal
   * [ja]    Japanese, by Takeshi Hamasaki
   * [pl]    Polish, by Jakub Bogusz
   * [sv]    Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you!
   * [vi]    Vietnamese, by Trần Ngọc Quân

   To generate a diff of this commit:
   cvs rdiff -u -r1.179 -r1.180 pkgsrc/mail/fetchmail/Makefile
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/mail/fetchmail/PLIST
   cvs rdiff -u -r1.46 -r1.47 pkgsrc/mail/fetchmail/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/mail/fetchmail/patches/patch-Makefile.in
   cvs rdiff -u -r1.1 -r0 pkgsrc/mail/fetchmail/patches/patch-ntlmsubr.c
   cvs rdiff -u -r1.84 -r1.85 pkgsrc/mail/fetchmailconf/Makefile


To generate a diff of this commit:
cvs rdiff -u -r1.178 -r1.178.2.1 pkgsrc/mail/fetchmail/Makefile
cvs rdiff -u -r1.13 -r1.13.26.1 pkgsrc/mail/fetchmail/PLIST
cvs rdiff -u -r1.46 -r1.46.2.1 pkgsrc/mail/fetchmail/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/mail/fetchmail/patches/patch-Makefile.in
cvs rdiff -u -r1.1 -r0 pkgsrc/mail/fetchmail/patches/patch-ntlmsubr.c
cvs rdiff -u -r1.83 -r1.83.2.1 pkgsrc/mail/fetchmailconf/Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.



Home | Main Index | Thread Index | Old Index