Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) by www.NetBSD.org (Postfix) with ESMTP id 6A92963E4EA for ; Sun, 4 Nov 2012 20:07:23 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 2AF7D14A136; Sun, 4 Nov 2012 20:07:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 9E0F214A0DA for ; Sun, 4 Nov 2012 20:07:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id R6ZaIDEyYNBT for ; Sun, 4 Nov 2012 20:07:21 +0000 (UTC) Received: from nef.pbox.org (ns.pbox.org [IPv6:2001:41d0:1:e836::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 52C6114A0D7 for ; Sun, 4 Nov 2012 20:07:20 +0000 (UTC) Received: from nef.pbox.org (localhost [127.0.0.1]) by nef.pbox.org (8.14.5/8.14.5/) with ESMTP id qA4K7FjK021458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 4 Nov 2012 21:07:16 +0100 (CET) Received: (from agc@localhost) by nef.pbox.org (8.14.5/8.14.5/Submit) id qA4K7FE3016448 for pkgsrc-changes@netbsd.org; Sun, 4 Nov 2012 21:07:15 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 649F914A1DD for ; Sun, 4 Nov 2012 17:12:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 78DOIGWDW5e1 for ; Sun, 4 Nov 2012 17:12:31 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id F2D6914A1BF for ; Sun, 4 Nov 2012 17:12:30 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id 66E3F175DD; Sun, 4 Nov 2012 17:12:30 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" Date: Sun, 4 Nov 2012 17:12:30 +0000 From: "S.P.Zeidler" Subject: CVS commit: [pkgsrc-2012Q3] pkgsrc/mail To: pkgsrc-changes@netbsd.org Reply-To: spz@netbsd.org X-Mailer: log_accum Message-Id: <20121104171230.66E3F175DD@cvs.netbsd.org> X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (nef.pbox.org [0.0.0.0]); Sun, 04 Nov 2012 21:07:16 +0100 (CET) Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: spz Date: Sun Nov 4 17:12:30 UTC 2012 Modified Files: pkgsrc/mail/fetchmail [pkgsrc-2012Q3]: Makefile PLIST distinfo pkgsrc/mail/fetchmailconf [pkgsrc-2012Q3]: Makefile Added Files: pkgsrc/mail/fetchmail/patches [pkgsrc-2012Q3]: patch-Makefile.in Removed Files: pkgsrc/mail/fetchmail/patches [pkgsrc-2012Q3]: patch-ntlmsubr.c Log Message: Pullup ticket #3958 - requested by morr mail/fetchmail: security update Revisions pulled up: - mail/fetchmail/Makefile 1.180 - mail/fetchmail/PLIST 1.14 - mail/fetchmail/distinfo 1.47 - mail/fetchmail/patches/patch-Makefile.in 1.1 - mail/fetchmail/patches/patch-ntlmsubr.c deleted - mail/fetchmailconf/Makefile 1.85 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: morr Date: Sat Nov 3 22:50:23 UTC 2012 Modified Files: pkgsrc/mail/fetchmail: Makefile PLIST distinfo pkgsrc/mail/fetchmailconf: Makefile Added Files: pkgsrc/mail/fetchmail/patches: patch-Makefile.in Removed Files: pkgsrc/mail/fetchmail/patches: patch-ntlmsubr.c Log Message: Update fetchmail and fetchmailconf to version 6.3.22. # SECURITY FIXES * for CVE-2012-3482: NTLM: fetchmail mistook an error message that the server sent in response to an NTLM request for protocol exchange, tried to decode it, and crashed while reading from a bad memory location. Also, with a carefully crafted NTLM challenge packet sent from the server, it would be possible that fetchmail conveyed confidential data not meant for the server through the NTLM response packet. Fix: Detect base64 decoding errors, validate the NTLM challenge, and abort NTLM authentication in case of error. See fetchmail-SA-2012-02.txt for further details. Reported by J. Porter Clark. * for CVE-2011-3389: SSL/TLS (wrapped and STARTTLS): fetchmail used to disable a countermeasure against a certain kind of attack against cipher block chaining initialization vectors (SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS). Whether this creates an exploitable situation, depends on the server and the negotiated ciphers. As a precaution, fetchmail 6.3.22 enables the countermeasure, by clearing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. NOTE that this can cause connections to certain non-conforming servers to fail, in which case you can set the environment variable FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE to any non-empty value when starting fetchmail to re-instate the compatibility option at the expense of security. Reported by Apple Product Security. For technical details, refer to . See fetchmail-SA-2012-01.txt for further details. # BUG FIX * The Server certificate: message in verbose mode now appears on stdout like the remainder of the output. Reported by Henry Jensen, to fix Debian Bug #639807. * The GSSAPI-related autoconf code now matches gssapi.c better, and uses a different check to look for GSS_C_NT_HOSTBASED_SERVICE. This fixes the GSSAPI-enabled build on NetBSD 6 Beta. # CHANGES * On systems where SSLv2_client_method isn't defined in OpenSSL (such as newer Debian, and Ubuntu starting with 11.10 oneiric ocelot), don't reference it (to fix the build) and if configured, print a run-time error that the OS does not support SSLv2. Fixes Debian Bug #622054, but note that that bug report has a more thorough patch that does away with SSLv2 altogether. * The security and errata notices fetchmail-{EN,SA}-20??-??.txt are now under the more relaxed CC BY-ND 3.0 license (the noncommercial clause was dropped). The Creative Commons address was updated. * The Python-related Makefile.am parts were simplified to avoid an automake 1.11.X bug around noinst_PYTHON, Automake Bug #10995. * Configuring fetchmail without SSL now triggers a configure warning, and asks the user to consider running configure --with-ssl. # WORKAROUNDS * Some servers, notably Zimbra, return A1234 987 FETCH () in response to a header request, in the face of message corruption. fetchmail now treats these as temporary errors. Report and Patch by Mikulas Patocka, Red Hat. * Some servers, notably Microsoft Exchange, return "A0009 OK FETCH completed." without any header in response to a header request for meeting reminder messages (with a "meeting.ics" attachment). fetchmail now treats these as transient errors. Report by John Connett, Patch by Sunil Shetye. # TRANSLATION UPDATES * [cs] Czech, by Petr Pisar * [de] German * [fr] French, by Frédéric Marchal * [ja] Japanese, by Takeshi Hamasaki * [pl] Polish, by Jakub Bogusz * [sv] Swedish, by Göran Uddeborg --- NEW TRANSLATION - Thank you! * [vi] Vietnamese, by Trần Ngọc Quân To generate a diff of this commit: cvs rdiff -u -r1.179 -r1.180 pkgsrc/mail/fetchmail/Makefile cvs rdiff -u -r1.13 -r1.14 pkgsrc/mail/fetchmail/PLIST cvs rdiff -u -r1.46 -r1.47 pkgsrc/mail/fetchmail/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/mail/fetchmail/patches/patch-Makefile.in cvs rdiff -u -r1.1 -r0 pkgsrc/mail/fetchmail/patches/patch-ntlmsubr.c cvs rdiff -u -r1.84 -r1.85 pkgsrc/mail/fetchmailconf/Makefile To generate a diff of this commit: cvs rdiff -u -r1.178 -r1.178.2.1 pkgsrc/mail/fetchmail/Makefile cvs rdiff -u -r1.13 -r1.13.26.1 pkgsrc/mail/fetchmail/PLIST cvs rdiff -u -r1.46 -r1.46.2.1 pkgsrc/mail/fetchmail/distinfo cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/mail/fetchmail/patches/patch-Makefile.in cvs rdiff -u -r1.1 -r0 pkgsrc/mail/fetchmail/patches/patch-ntlmsubr.c cvs rdiff -u -r1.83 -r1.83.2.1 pkgsrc/mail/fetchmailconf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.