Pullup ticket #6521 - requested by nia
mail/alpine: security fix

Revisions pulled up:
- mail/alpine/Makefile                                          1.48
- mail/alpine/distinfo                                          1.27
- mail/alpine/patches/patch-imap_src_mtest_mtest.c              deleted

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Sun Oct 17 09:49:10 UTC 2021

   Modified Files:
   	pkgsrc/mail/alpine: Makefile distinfo
   Removed Files:
   	pkgsrc/mail/alpine/patches: patch-imap_src_mtest_mtest.c

   Log Message:
   alpine: Update to 2.25.

   pkgsrc changes and notes:

   - According to the release notes, this fixes CVE-2021-38370 by
     Damian Poddebniak.
   - I have added the maildir patch, as FreeBSD does, because it seems
     useful.
   - I have removed the non-trivial patch for OpenBSD, because going by
     OpenBSD's ports repository it's no longer necessary at all.

      Version 2.25 includes several new features and bug fixes.

      Additions include:
        * Unix Alpine: New configuration variable ssl-ciphers that allows users
          to list the ciphers to use when connecting to a SSL server. Based on a
          collaboration with Professor Martin Trusler.
        * New hidden feature enable-delete-before-writing to add support for
          terminals that need lines to be deleted before being written. Based on
          a collaboration with Professor Martin Trusler.
        * Experimental: The instruction to remove the double quotes from the
          processing of customized headers existed in pine, but it was removed
          in alpine. Restoring old Alpine behavior. See this
        * Add the capability to record http debug. This is necessary to debug
          XOAUTH2 authentication, and records sensitive login information. Do
          not share your debug file if you use this form of debug.
        * Remove the ability to choose between the device and authorize methods
          to login to outlook, since the original client-id can only be used for
          the device method. One needs a special client-id and client-secret to
          use the authorize method in Outlook.
        * PC-Alpine only: Some service providers produce access tokens that are
          too long to save in the Windows Credentials, so the access tokens will
          be split and saved as several pieces. This means that old versions of
          Alpine will NOT be able to use saved passwords once this new version
          of Alpine is used.
        * PC-Alpine: Debug files used to be created with extension .txt1, .txt2,
          etc. Rename those files so that they have extension .txt.
        * Always follow **suppress-asterisks-in-password-prompt** setting in
          the various password prompts. Submitted by tienne Deparis.
        * Use 'alpine -F' instead of 'pine -F' as the browser default pager.
          Submitted by tienne Deparis.
        * Introduction of OTHER CMDS menu for the browser/pilot to let people
          discover the two new commands: "1" is a toggle that switches between 1
          column and multicolumn mode. The "." command toggles between hiding or
          showing hidden files, and the "G" command to travel between
          directories. Contributed by tienne Deparis.
        * Add option -xoauth2-flow to the command line, so that users can
          specify the parameters to set up an xoauth2 connection through the
          command line.
        * Alpine deletes, from its internal memory and external cache, passwords
          that do not work, even if they were saved by the user.
        * New format for saving passwords in the windows credential manager for
          PC-Alpine. Upon starting this new version of Alpine the passwords
          saved in the credential manager are converted to the new format and
          they will not be recognized by old versions of Alpine, but only by
          this and newer versions of Alpine.
        * Enabled encryption protocols in PC-Alpine are based on those enabled
          in the system, unless one is specified directly.

      Bugs that have been addressed include:
        * The c-client library parses information from an IMAP server during
          non-authenticated state which could lead to denial of service.
          Reported by Damian Poddebniak from Mnster University of Applied
          Sciences.
        * Memory corruption when alpine searches for a string that is an
          incomplete utf8 string in a local folder. This could happen by
          chopping a string to make it fit a buffer without regard to its
          content. We fix the string so that chopping it does not damage it.
          Reported by Andrew.
        * Crash in the ntlm authenticator when the user name does not include a
          domain. Reported and fixed by Anders Skargren.
        * When forwarding a message, replacing an attachment might make Alpine
          re-attach the original attachment. Reported by Michael Traxler.
        * When an attachment is deleted, the saved message with the deleted
          attachment contains extra null characters after the end of the
          attachment boundary.
        * Tcp and http debug information is not printed unless the default debug
          level is set to 1. Print this if requested, regardless of what the
          default debug level is.
        * When trying to select a folder for saving a message, one can only
          enter a subfolder by pressing the ">" command, rather than the normal
          navigation by pressing "Return". Reported by Ulf-Dietrich Braunmann.
        * Crash when attempting to remove a configuration for a XOAUTH2 server
          that has no usernames configured.
        * Crash caused by saving (and resaving) XOAUTH2 refresh and access
          tokens in PC-Alpine. Reported by Karl Lindauer.


(tm)