diff --git a/.fetchmail.metadata b/.fetchmail.metadata new file mode 100644 index 0000000..e85d079 --- /dev/null +++ b/.fetchmail.metadata @@ -0,0 +1 @@ +8cb2aa3a85dd307ccd1899ddbb4463e011048535 SOURCES/fetchmail-6.3.24.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b58d35 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/fetchmail-6.3.24.tar.xz diff --git a/SOURCES/fetchmail-6.3.24-data-loss.patch b/SOURCES/fetchmail-6.3.24-data-loss.patch new file mode 100644 index 0000000..a65cfd0 --- /dev/null +++ b/SOURCES/fetchmail-6.3.24-data-loss.patch @@ -0,0 +1,128 @@ +From 21ac960a3e648cd53c155bd2b724f72f0164416f Mon Sep 17 00:00:00 2001 +From: Matthias Andree +Date: Fri, 17 Jun 2011 03:11:39 +0200 +Subject: [PATCH] Fix mimedecode last-line omission. + +The mimedecode feature failed to ship the last line of the body if it +was encoded as quoted-printable and had a MIME soft line break in the +very last line. Reported by Lars Hecking in June 2011. + +Bug introduced on 1998-03-20 when the mimedecode support was added by +ESR before release 4.4.1 through code contributed by Henrik Storner, +in driver.c. + +Workaround for older releases: do not use mimedecode feature. +--- + NEWS | 8 ++++++++ + transact.c | 59 +++++++++++++++++++++++++++++++++++++++++++++-------------- + 2 files changed, 53 insertions(+), 14 deletions(-) + +diff --git a/NEWS b/NEWS +index 26709e4..ac9bc42 100644 +--- a/NEWS ++++ b/NEWS +@@ -156,6 +156,14 @@ fetchmail-6.3.23 (released 2012-12-10, 26106 LoC): + * Clean up logfile vs. syslog handling, and in case logfile overrides + syslog, send a message to the latter stating where logging goes. + ++# BUG FIXES ++* The mimedecode feature failed to ship the last line of the body if it was ++ encoded as quoted-printable and had a MIME soft line break in the very last ++ line. Reported by Lars Hecking in June 2011. ++ Bug introduced on 1998-03-20 when the mimedecode support was added by ESR ++ before release 4.4.1 through code contributed by Henrik Storner. ++ Workaround for older releases: do not use mimedecode feature. ++ + # CHANGES + * The build process can now be made a bit more silent and concise through + ./configure --enable-silent-rules, or by adding "V=0" to the make command. +diff --git a/transact.c b/transact.c +index ec8013a..5449e56 100644 +--- a/transact.c ++++ b/transact.c +@@ -1383,6 +1383,28 @@ process_headers: + return PS_SOCKET; + } + ++/** Convenience function factored out from readbody(): ++ * send buffer \a buf via stuffline() and handle errors and progress. ++ * Store return value in \a *n, and return PS_IOERR for failure or ++ * PS_SUCCESS otherwise. */ ++static int rb_send(struct query *ctl, char *buf, int *n) ++{ ++ *n = stuffline(ctl, buf); ++ ++ if (*n < 0) ++ { ++ report(stdout, GT_("error writing message text\n")); ++ release_sink(ctl); ++ return(PS_IOERR); ++ } ++ else if (want_progress()) ++ { ++ fputc('*', stdout); ++ fflush(stdout); ++ } ++ return PS_SUCCESS; ++} ++ + int readbody(int sock, struct query *ctl, flag forward, int len) + /** read and dispose of a message body presented on \a sock */ + /** \param ctl query control record */ +@@ -1478,7 +1500,7 @@ int readbody(int sock, struct query *ctl, flag forward, int len) + /* ship out the text line */ + if (forward && (!issoftline)) + { +- int n; ++ int n, err; + inbufp = buf; + + /* guard against very long lines */ +@@ -1486,22 +1508,31 @@ int readbody(int sock, struct query *ctl, flag forward, int len) + buf[MSGBUFSIZE+2] = '\n'; + buf[MSGBUFSIZE+3] = '\0'; + +- n = stuffline(ctl, buf); +- +- if (n < 0) +- { +- report(stdout, GT_("error writing message text\n")); +- release_sink(ctl); +- return(PS_IOERR); +- } +- else if (want_progress()) +- { +- fputc('*', stdout); +- fflush(stdout); +- } ++ err = rb_send(ctl, buf, &n); ++ if (err != PS_SUCCESS) ++ return err; + } + } + ++ /* Flush buffer -- bug introduced by ESR on 1998-03-20 before ++ * release 4.4.1 when ESR did not sufficiently audit Henrik ++ * Storner's patch. ++ * Trouble reported in June 2011 by Lars Hecking, with ++ * text/html quoted-printable messages generated by ++ * Outlook/Exchange that got mutilated by fetchmail. ++ */ ++ if (forward && issoftline) ++ { ++ int n; ++ ++ /* force proper line termination */ ++ inbufp[0] = '\r'; ++ inbufp[1] = '\n'; ++ inbufp[2] = '\0'; ++ ++ return rb_send(ctl, buf, &n); ++ } ++ + return(PS_SUCCESS); + } + +-- +1.7.1 + diff --git a/SOURCES/fetchmail-6.3.24-options-usage-manpage.patch b/SOURCES/fetchmail-6.3.24-options-usage-manpage.patch new file mode 100644 index 0000000..58c417d --- /dev/null +++ b/SOURCES/fetchmail-6.3.24-options-usage-manpage.patch @@ -0,0 +1,94 @@ +diff -up fetchmail-6.3.24/fetchmail.man.orig fetchmail-6.3.24/fetchmail.man +--- fetchmail-6.3.24/fetchmail.man.orig 2017-03-08 08:51:31.779370558 +0100 ++++ fetchmail-6.3.24/fetchmail.man 2017-03-08 08:53:46.768055793 +0100 +@@ -164,6 +164,9 @@ Some special options are not covered her + in sections on AUTHENTICATION and DAEMON MODE which follow. + .SS General Options + .TP ++.B \-? | \-\-help ++Displays option help. ++.TP + .B \-V | \-\-version + Displays the version information for your copy of \fBfetchmail\fP. No mail + fetch is performed. Instead, for each server specified, all the option +@@ -1061,7 +1064,7 @@ sent to 'username\&@\&userhost.userdom.d + \fIDelivered\-To:\fR line of the form: + .IP + Delivered\-To: mbox\-userstr\-username\&@\&userhost.example.com +-.PP ++.IP + The ISP can make the 'mbox\-userstr\-' prefix anything they choose + but a string matching the user host name is likely. + By using the option 'envelope Delivered\-To:' you can make fetchmail reliably +@@ -1075,6 +1078,10 @@ specified, and dump a configuration repo + configuration report is a data structure assignment in the language + Python. This option is meant to be used with an interactive + \fI~/.fetchmailrc\fP editor like \fBfetchmailconf\fP, written in Python. ++.TP ++.B \-y | \-\-yydebug ++Enables parser debugging, this option is meant to be used by developers ++only. + + .SS Removed Options + .TP +@@ -1360,6 +1367,8 @@ authentication or multiple timeouts. + .SS Terminating the background daemon + .PP + The option ++.B \-q ++or + .B \-\-quit + will kill a running daemon process instead of waking it up (if there + is no such process, \fBfetchmail\fP will notify you). +@@ -1914,7 +1923,7 @@ T} + mda \-m \& T{ + Specify MDA for local delivery + T} +-bsmtp \-o \& T{ ++bsmtp \& \& T{ + Specify BSMTP batch file to append to + T} + preconnect \& \& T{ +diff -up fetchmail-6.3.24/options.c.orig fetchmail-6.3.24/options.c +--- fetchmail-6.3.24/options.c.orig 2012-12-13 22:12:26.000000000 +0100 ++++ fetchmail-6.3.24/options.c 2017-03-08 08:53:46.769055797 +0100 +@@ -58,9 +58,9 @@ enum { + LA_BADHEADER + }; + +-/* options still left: CgGhHjJoORTWxXYz */ ++/* options still left: ACgGhHjJoORTWxXYz */ + static const char *shortoptions = +- "?Vcsvd:NqL:f:i:p:UP:A:t:E:Q:u:akKFnl:r:S:Z:b:B:e:m:I:M:yw:D:"; ++ "?Vcsvd:NqL:f:i:p:UP:t:E:Q:u:akKFnl:r:S:Z:b:B:e:m:I:M:yw:D:"; + + static const struct option longoptions[] = { + /* this can be const because all flag fields are 0 and will never get set */ +@@ -630,6 +630,7 @@ int parsecmdline (int argc /** argument + P(GT_(" -q, --quit kill daemon process\n")); + P(GT_(" -L, --logfile specify logfile name\n")); + P(GT_(" --syslog use syslog(3) for most messages when running as a daemon\n")); ++ P(GT_(" --nosyslog turns off use of syslog(3)\n")); + P(GT_(" --invisible don't write Received & enable host spoofing\n")); + P(GT_(" -f, --fetchmailrc specify alternate run control file\n")); + P(GT_(" -i, --idfile specify alternate UIDs file\n")); +@@ -658,8 +659,9 @@ int parsecmdline (int argc /** argument + P(GT_(" --bad-header {reject|accept}\n" + " specify policy for handling messages with bad headers\n")); + +- P(GT_(" -p, --protocol specify retrieval protocol (see man page)\n")); ++ P(GT_(" -p, --proto[col] specify retrieval protocol (see man page)\n")); + P(GT_(" -U, --uidl force the use of UIDLs (pop3 only)\n")); ++ P(GT_(" --idle tells the IMAP server to send notice of new messages\n")); + P(GT_(" --port TCP port to connect to (obsolete, use --service)\n")); + P(GT_(" -P, --service TCP service to connect to (can be numeric TCP port)\n")); + P(GT_(" --auth authentication type (password/kerberos/ssh/otp)\n")); +@@ -669,7 +671,7 @@ int parsecmdline (int argc /** argument + P(GT_(" --principal mail service principal\n")); + P(GT_(" --tracepolls add poll-tracing information to Received header\n")); + +- P(GT_(" -u, --username specify users's login on server\n")); ++ P(GT_(" -u, --user[name] specify users's login on server\n")); + P(GT_(" -a, --[fetch]all retrieve old and new messages\n")); + P(GT_(" -K, --nokeep delete new messages after retrieval\n")); + P(GT_(" -k, --keep save new messages after retrieval\n")); diff --git a/SOURCES/fetchmail-6.3.24-ssl-backport.patch b/SOURCES/fetchmail-6.3.24-ssl-backport.patch new file mode 100644 index 0000000..c157d88 --- /dev/null +++ b/SOURCES/fetchmail-6.3.24-ssl-backport.patch @@ -0,0 +1,748 @@ +diff -up fetchmail-6.3.24/configure.ac.orig fetchmail-6.3.24/configure.ac +--- fetchmail-6.3.24/configure.ac.orig 2012-12-23 16:40:43.000000000 +0100 ++++ fetchmail-6.3.24/configure.ac 2017-03-07 12:35:18.961038361 +0100 +@@ -803,6 +803,7 @@ fi + + case "$LIBS" in *-lssl*) + AC_CHECK_DECLS([SSLv2_client_method],,,[#include ]) ++ AC_CHECK_DECLS([SSLv3_client_method],,,[#include ]) + ;; + esac + +diff -up fetchmail-6.3.24/fetchmail.c.orig fetchmail-6.3.24/fetchmail.c +--- fetchmail-6.3.24/fetchmail.c.orig 2012-12-14 00:56:41.000000000 +0100 ++++ fetchmail-6.3.24/fetchmail.c 2017-03-07 12:35:18.962038368 +0100 +@@ -263,6 +263,12 @@ int main(int argc, char **argv) + #ifdef SSL_ENABLE + "+SSL" + #endif ++#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 == 0 ++ "-SSLv2" ++#endif ++#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0 ++ "-SSLv3" ++#endif + #ifdef OPIE_ENABLE + "+OPIE" + #endif /* OPIE_ENABLE */ +diff -up fetchmail-6.3.24/fetchmail.h.orig fetchmail-6.3.24/fetchmail.h +--- fetchmail-6.3.24/fetchmail.h.orig 2012-12-14 00:56:41.000000000 +0100 ++++ fetchmail-6.3.24/fetchmail.h 2017-03-07 12:35:18.962038368 +0100 +@@ -771,9 +771,9 @@ int servport(const char *service); + int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res); + void fm_freeaddrinfo(struct addrinfo *ai); + +-/* prototypes from tls.c */ +-int maybe_tls(struct query *ctl); +-int must_tls(struct query *ctl); ++/* prototypes from starttls.c */ ++int maybe_starttls(struct query *ctl); ++int must_starttls(struct query *ctl); + + /* prototype from rfc822valid.c */ + int rfc822_valid_msgid(const unsigned char *); +diff -up fetchmail-6.3.24/fetchmail.man.orig fetchmail-6.3.24/fetchmail.man +--- fetchmail-6.3.24/fetchmail.man.orig 2012-12-13 22:50:38.000000000 +0100 ++++ fetchmail-6.3.24/fetchmail.man 2017-03-07 12:35:18.968038409 +0100 +@@ -412,23 +412,22 @@ from. The folder information is written + .B \-\-ssl + (Keyword: ssl) + .br +-Causes the connection to the mail server to be encrypted +-via SSL. Connect to the server using the specified base protocol over a +-connection secured by SSL. This option defeats opportunistic starttls +-negotiation. It is highly recommended to use \-\-sslproto 'SSL3' +-\-\-sslcertck to validate the certificates presented by the server and +-defeat the obsolete SSLv2 negotiation. More information is available in +-the \fIREADME.SSL\fP file that ships with fetchmail. +-.IP +-Note that fetchmail may still try to negotiate SSL through starttls even +-if this option is omitted. You can use the \-\-sslproto option to defeat +-this behavior or tell fetchmail to negotiate a particular SSL protocol. ++Causes the connection to the mail server to be encrypted via SSL, by ++negotiating SSL directly after connecting (SSL-wrapped mode). It is ++highly recommended to use \-\-sslcertck to validate the certificates ++presented by the server. Please see the description of \-\-sslproto ++below! More information is available in the \fIREADME.SSL\fP file that ++ships with fetchmail. ++.IP ++Note that even if this option is omitted, fetchmail may still negotiate ++SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You ++can use the \-\-sslproto option to modify that behavior. + .IP + If no port is specified, the connection is attempted to the well known + port of the SSL version of the base protocol. This is generally a + different port than the port used by the base protocol. For IMAP, this + is port 143 for the clear protocol and port 993 for the SSL secured +-protocol, for POP3, it is port 110 for the clear text and port 995 for ++protocol; for POP3, it is port 110 for the clear text and port 995 for + the encrypted variant. + .IP + If your system lacks the corresponding entries from /etc/services, see +@@ -470,39 +469,77 @@ cause some complications in daemon mode. + .IP + Also see \-\-sslcert above. + .TP +-.B \-\-sslproto ++.B \-\-sslproto + (Keyword: sslproto) + .br +-Forces an SSL/TLS protocol. Possible values are \fB''\fP, +-\&'\fBSSL2\fP' (not supported on all systems), +-\&'\fBSSL23\fP', (use of these two values is discouraged +-and should only be used as a last resort) \&'\fBSSL3\fP', and +-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for +-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will +-opportunistically try STARTTLS negotiation with TLS1. You can configure +-this option explicitly if the default handshake (TLS1 if \-\-ssl is not +-used) does not work for your server. +-.IP +-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS +-connection. In this mode, it is highly recommended to also use +-\-\-sslcertck (see below). Note that this will then cause fetchmail +-v6.3.19 to force STARTTLS negotiation even if it is not advertised by +-the server. +-.IP +-To defeat opportunistic TLSv1 negotiation when the server advertises +-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This +-option, even if the argument is the empty string, will also suppress the +-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose +-mode. The default is to try appropriate protocols depending on context. ++This option has a dual use, out of historic fetchmail behaviour. It ++controls both the SSL/TLS protocol version and, if \-\-ssl is not ++specified, the STARTTLS behaviour (upgrading the protocol to an SSL or ++TLS connection in-band). Some other options may however make TLS ++mandatory. ++.PP ++Only if this option and \-\-ssl are both missing for a poll, there will ++be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to ++upgrade to TLSv1 or newer. ++.PP ++Recognized values for \-\-sslproto are given below. You should normally ++chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of ++the options ending in a plus (\fB+\fP) character. Note that depending ++on OpenSSL library version and configuration, some options cause ++run-time errors because the requested SSL or TLS versions are not ++supported by the particular installed OpenSSL library. ++.RS ++.IP "\fB''\fP, the empty string" ++Disable STARTTLS. If \-\-ssl is given for the same server, log an error ++and pretend that '\fBauto\fP' had been used instead. ++.IP '\fBauto\fP' ++(default). Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade. ++(previous releases of fetchmail have auto-negotiated all protocols that ++their OpenSSL library supported, including the broken SSLv3). ++.IP "\&'\fBSSL23\fP' ++see '\fBauto\fP'. ++.IP \&'\fBSSL2\fP' ++Require SSLv2 exactly. SSLv2 is broken, not supported on all systems, avoid it ++if possible. This will make fetchmail negotiate SSLv2 only, and is the ++only way to have fetchmail permit SSLv2. ++.IP \&'\fBSSL3\fP' ++Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it ++if possible. This will make fetchmail negotiate SSLv3 only, and is the ++only way besides '\fBSSL3+\fP' to have fetchmail permit SSLv3. ++.IP \&'\fBSSL3+\fP' ++same as '\fBauto\fP', but permit SSLv3 as well. This is the only way ++besides '\fBSSL3\fP' to have fetchmail permit SSLv3. ++.IP \&'\fBTLS1\fP' ++Require TLSv1. This does not negotiate TLSv1.1 or newer, and is ++discouraged. Replace by TLS1+ unless the latter chokes your server. ++.IP \&'\fBTLS1+\fP' ++See '\fBauto\fP'. ++.IP \&'\fBTLS1.1\fP' ++Require TLS v1.1 exactly. ++.IP \&'\fBTLS1.1+\fP' ++Require TLS. Auto-negotiate TLSv1.1 or newer. ++.IP \&'\fBTLS1.2\fP' ++Require TLS v1.2 exactly. ++.IP '\fBTLS1.2+\fP' ++Require TLS. Auto-negotiate TLSv1.2 or newer. ++.IP "Unrecognized parameters" ++are treated the same as '\fBauto\fP'. ++.RE ++.IP ++NOTE: you should hardly ever need to use anything other than '' (to ++force an unencrypted connection) or 'auto' (to enforce TLS). + .TP + .B \-\-sslcertck + (Keyword: sslcertck) + .br +-Causes fetchmail to strictly check the server certificate against a set of +-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP +-options). If the server certificate cannot be obtained or is not signed by one +-of the trusted ones (directly or indirectly), the SSL connection will fail, +-regardless of the \fBsslfingerprint\fP option. ++Causes fetchmail to require that SSL/TLS be used and disconnect if it ++can not successfully negotiate SSL or TLS, or if it cannot successfully ++verify and validate the certificate and follow it to a trust anchor (or ++trusted root certificate). The trust anchors are given as a set of local ++trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP ++options). If the server certificate cannot be obtained or is not signed ++by one of the trusted ones (directly or indirectly), fetchmail will ++disconnect, regardless of the \fBsslfingerprint\fP option. + .IP + Note that CRL (certificate revocation lists) are only supported in + OpenSSL 0.9.7 and newer! Your system clock should also be reasonably +@@ -1202,31 +1239,33 @@ capability response. Specify a user opti + username and the part to the right as the NTLM domain. + + .SS Secure Socket Layers (SSL) and Transport Layer Security (TLS) ++.PP All retrieval protocols can use SSL or TLS wrapping for the ++transport. Additionally, POP3 and IMAP retrival can also negotiate ++SSL/TLS by means of STARTTLS (or STLS). + .PP + Note that fetchmail currently uses the OpenSSL library, which is + severely underdocumented, so failures may occur just because the + programmers are not aware of OpenSSL's requirement of the day. + For instance, since v6.3.16, fetchmail calls + OpenSSL_add_all_algorithms(), which is necessary to support certificates +-with SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the +-documentation and not at all obvious. Please do not hesitate to report +-subtle SSL failures. +-.PP +-You can access SSL encrypted services by specifying the \-\-ssl option. +-You can also do this using the "ssl" user option in the .fetchmailrc +-file. With SSL encryption enabled, queries are initiated over a +-connection after negotiating an SSL session, and the connection fails if +-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have ++using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in ++the documentation and not at all obvious. Please do not hesitate to ++report subtle SSL failures. ++.PP ++You can access SSL encrypted services by specifying the options starting ++with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others. ++You can also do this using the corresponding user options in the .fetchmailrc ++file. Some services, such as POP3 and IMAP, have + different well known ports defined for the SSL encrypted services. The + encrypted ports will be selected automatically when SSL is enabled and +-no explicit port is specified. The \-\-sslproto 'SSL3' option should be +-used to select the SSLv3 protocol (default if unset: v2 or v3). Also, +-the \-\-sslcertck command line or sslcertck run control file option +-should be used to force strict certificate checking - see below. ++no explicit port is specified. Also, the \-\-sslcertck command line or ++sslcertck run control file option should be used to force strict ++certificate checking - see below. + .PP + If SSL is not configured, fetchmail will usually opportunistically try to use +-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS +-connections use the same port as the unencrypted version of the ++STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and ++defeated by using \-\-sslproto\~''. ++TLS connections use the same port as the unencrypted version of the + protocol and negotiate TLS via special command. The \-\-sslcertck + command line or sslcertck run control file option should be used to + force strict certificate checking - see below. +diff -up fetchmail-6.3.24/imap.c.orig fetchmail-6.3.24/imap.c +--- fetchmail-6.3.24/imap.c.orig 2012-12-13 22:12:26.000000000 +0100 ++++ fetchmail-6.3.24/imap.c 2017-03-07 12:35:18.962038368 +0100 +@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct + /* apply for connection authorization */ + { + int ok = 0; ++ char *commonname; ++ + (void)greeting; + + /* +@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct + return(PS_SUCCESS); + } + +-#ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; +- +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- if (strstr(capabilities, "STARTTLS") +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++#ifdef SSL_ENABLE ++ if (maybe_starttls(ctl)) { ++ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl)) ++ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STARTTLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct + /* Usable. Proceed with authenticating insecurely. */ + } + } ++ } else { ++ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname); ++ } + } + #endif /* SSL_ENABLE */ + +diff -up fetchmail-6.3.24/Makefile.am.orig fetchmail-6.3.24/Makefile.am +--- fetchmail-6.3.24/Makefile.am.orig 2012-12-23 16:40:57.000000000 +0100 ++++ fetchmail-6.3.24/Makefile.am 2017-03-07 12:35:18.962038368 +0100 +@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8 + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c \ +- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \ ++ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \ + xmalloc.h sdump.h sdump.c x509_name_match.c \ + fm_strl.h md5c.c + if NTLM_ENABLE +diff -up fetchmail-6.3.24/Makefile.in.orig fetchmail-6.3.24/Makefile.in +--- fetchmail-6.3.24/Makefile.in.orig 2012-12-23 17:29:56.000000000 +0100 ++++ fetchmail-6.3.24/Makefile.in 2017-03-07 12:35:18.963038375 +0100 +@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas + rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c ntlmsubr.c + @NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT) + am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \ + rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \ + servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \ + smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \ +- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \ ++ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \ + sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \ + $(am__objects_1) + libfm_a_OBJECTS = $(am_libfm_a_OBJECTS) +@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc + servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \ + smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \ + libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \ +- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ ++ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \ + x509_name_match.c fm_strl.h md5c.c $(am__append_1) + libfm_a_LIBADD = $(EXTRAOBJ) + libfm_a_DEPENDENCIES = $(EXTRAOBJ) +diff -up fetchmail-6.3.24/NEWS.orig fetchmail-6.3.24/NEWS +--- fetchmail-6.3.24/NEWS.orig 2017-03-07 12:35:18.958038341 +0100 ++++ fetchmail-6.3.24/NEWS 2017-03-07 12:35:18.968038409 +0100 +@@ -56,6 +56,29 @@ removed from a 6.4.0 or newer release.) + + -------------------------------------------------------------------------------- + ++## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION ++* Fetchmail no longer attempts to negotiate SSLv3 by default, ++ even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer ++ TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the ++ OpenSSL version used at build and run-time supports these versions, -sslproto ++ ssl3 can be used to enable this specific version. Doing so is discouraged ++ because these protocols are broken. ++ ++ Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843. ++ ++ While this change is supposed to be compatible with common configurations, ++ users are advised to change all explicit --sslproto ssl2, --sslproto ++ ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and ++ TLSv1.2 on systems with OpenSSL 1.0.1 or newer. ++ ++ The --sslproto option now understands the values auto, tls1+, tls1.1+, ++ tls1.2+ (case insensitively). ++ ++## CHANGES ++* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23). ++* --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a ++ minimum specified TLS protocol version. ++ + fetchmail-6.3.24 (released 2012-12-23, 26108 LoC): + + # NOTE THAT THE RELEASE OF FUTURE FETCHMAIL 6.3.X VERSIONS IS UNCLEAR. +diff -up fetchmail-6.3.24/pop3.c.orig fetchmail-6.3.24/pop3.c +--- fetchmail-6.3.24/pop3.c.orig 2012-12-13 22:50:38.000000000 +0100 ++++ fetchmail-6.3.24/pop3.c 2017-03-07 12:35:18.963038375 +0100 +@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct + #endif /* OPIE_ENABLE */ + #ifdef SSL_ENABLE + flag connection_may_have_tls_errors = FALSE; ++ char *commonname; + #endif /* SSL_ENABLE */ + + done_capa = FALSE; +@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct + (ctl->server.authenticate == A_KERBEROS_V5) || + (ctl->server.authenticate == A_OTP) || + (ctl->server.authenticate == A_CRAM_MD5) || +- maybe_tls(ctl)) ++ maybe_starttls(ctl)) + { + if ((ok = capa_probe(sock)) != PS_SUCCESS) + /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ +@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct + (ok == PS_SOCKET && !ctl->wehaveauthed)) + { + #ifdef SSL_ENABLE +- if (must_tls(ctl)) { ++ if (must_starttls(ctl)) { + /* fail with mandatory STLS without repoll */ + report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); + report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); + return ok; +- } else if (maybe_tls(ctl)) { ++ } else if (maybe_starttls(ctl)) { + /* defeat opportunistic STLS */ + xfree(ctl->sslproto); + ctl->sslproto = xstrdup(""); +@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct + } + + #ifdef SSL_ENABLE +- if (maybe_tls(ctl)) { +- char *commonname; ++ commonname = ctl->server.pollname; ++ if (ctl->server.via) ++ commonname = ctl->server.via; ++ if (ctl->sslcommonname) ++ commonname = ctl->sslcommonname; + +- commonname = ctl->server.pollname; +- if (ctl->server.via) +- commonname = ctl->server.via; +- if (ctl->sslcommonname) +- commonname = ctl->sslcommonname; +- +- if (has_stls +- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ ++ if (maybe_starttls(ctl)) { ++ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ + { +- /* Use "tls1" rather than ctl->sslproto because tls1 is the only +- * protocol that will work with STARTTLS. Don't need to worry +- * whether TLS is mandatory or opportunistic unless SSLOpen() fails +- * (see below). */ ++ /* Don't need to worry whether TLS is mandatory or ++ * opportunistic unless SSLOpen() fails (see below). */ + if (gen_transact(sock, "STLS") == PS_SUCCESS +- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, ++ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, + ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, + ctl->server.pollname, &ctl->remotename)) != -1) + { +@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct + { + report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); + } +- } else if (must_tls(ctl)) { ++ } else if (must_starttls(ctl)) { + /* Config required TLS but we couldn't guarantee it, so we must + * stop. */ + set_timeout(0); +@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct + } + } + } +- } /* maybe_tls() */ ++ } else { /* maybe_starttls() */ ++ if (has_stls && outlevel >= O_VERBOSE) { ++ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); ++ } ++ } /* maybe_starttls() */ + #endif /* SSL_ENABLE */ + + /* +diff -up fetchmail-6.3.24/README.SSL.orig fetchmail-6.3.24/README.SSL +--- fetchmail-6.3.24/README.SSL.orig 2011-08-16 13:24:53.000000000 +0200 ++++ fetchmail-6.3.24/README.SSL 2017-03-07 12:35:18.963038375 +0100 +@@ -11,36 +11,48 @@ specific to fetchmail. + In case of troubles, mail the README.SSL-SERVER file to your ISP and + have them check their server configuration against it. + +-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether +-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is +-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot +-be fixed in a bugfix release. ++Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a ++service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) ++or is totally SSL-wrapped on a separate port. For compatibility ++reasons, this cannot be fixed in a bugfix or minor release. + + -- Matthias Andree, 2009-05-09 + ++Also, fetchmail 6.4.0 and newer releases (this is also true for this release, ++as the changes were backported from upstream - noted by Red Hat) changed ++some of the semantics as the result of a bug-fix, and will auto-negotiate ++TLSv1 or newer only. If your server does not support this, you may have ++to specify --sslproto ssl3. This is in order to prefer the newer TLS ++protocols, because SSLv2 and v3 are broken. ++ ++ -- Matthias Andree, 2015-01-16 ++ + + Quickstart + ---------- + ++Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get ++TLSv1.2 support. ++ + For use of SSL or TLS with in-band negotiation on the regular service's port, + i. e. with STLS or STARTTLS, use these command line options + +- --sslproto tls1 --sslcertck ++ --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- sslproto tls1 sslcertck ++ sslproto auto sslcertck + + + For use of SSL or TLS on a separate port, if the whole TCP connection is +-SSL-encrypted from the very beginning, use these command line options (in the +-rcfile, omit all leading "--"): ++SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these ++command line options (in the rcfile, omit all leading "--"): + +- --ssl --sslproto ssl3 --sslcertck ++ --ssl --sslproto auto --sslcertck + + or these options in the rcfile (after the respective "user"... options) + +- ssl sslproto ssl3 sslcertck ++ ssl sslproto auto sslcertck + + + Background and use (long version :-)) +diff -up fetchmail-6.3.24/socket.c.orig fetchmail-6.3.24/socket.c +--- fetchmail-6.3.24/socket.c.orig 2012-12-13 23:32:29.000000000 +0100 ++++ fetchmail-6.3.24/socket.c 2017-03-07 12:41:24.558502332 +0100 +@@ -844,6 +844,9 @@ int SSLOpen(int sock, char *mycert, char + { + struct stat randstat; + int i; ++ /* disable SSLv2 and SSLv3 by default. SSLv2 can be enabled with '--sslproto ssl2'. ++ SSLv3 can be enabled with '--sslproto ssl3' or '--sslproto ssl3+' */ ++ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + long sslopts = SSL_OP_ALL; + + SSL_load_error_strings(); +@@ -873,28 +876,68 @@ int SSLOpen(int sock, char *mycert, char + + /* Make sure a connection referring to an older context is not left */ + _ssl_context[sock] = NULL; +- if(myproto) { +- if(!strcasecmp("ssl2",myproto)) { ++ if(myproto) { ++ if(!strcasecmp("ssl2",myproto)) { + #if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 +- _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); ++ _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); + #else +- report(stderr, GT_("Your operating system does not support SSLv2.\n")); +- return -1; ++ report(stderr, GT_("Your OpenSSL version does not support SSLv2.\n")); ++ return -1; + #endif +- } else if(!strcasecmp("ssl3",myproto)) { +- _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); +- } else if(!strcasecmp("tls1",myproto)) { +- _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); +- } else if (!strcasecmp("ssl23",myproto)) { +- myproto = NULL; +- } else { +- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); +- myproto = NULL; +- } +- } +- if(!myproto) { +- _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); +- } ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv2; ++ } else if(!strcasecmp("ssl3",myproto)) { ++#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0 ++ _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); ++#else ++ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); ++ return -1; ++#endif ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; ++ } else if(!strcasecmp("ssl3+",myproto)) { ++ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; ++ myproto = NULL; ++ } else if(!strcasecmp("tls1",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); ++ } else if(!strcasecmp("tls1+",myproto)) { ++ myproto = NULL; ++#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION ++ } else if(!strcasecmp("tls1.1",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); ++ } else if(!strcasecmp("tls1.1+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++#else ++ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); ++ return -1; ++#endif ++#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION ++ } else if(!strcasecmp("tls1.2",myproto)) { ++ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); ++ } else if(!strcasecmp("tls1.2+",myproto)) { ++ myproto = NULL; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1; ++ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; ++#else ++ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { ++ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); ++ return -1; ++#endif ++ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { ++ myproto = NULL; ++ } else { ++ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); ++ myproto = NULL; ++ } ++ } ++ // do not combine into an else { } as myproto may be nulled ++ // above! ++ if(!myproto) { ++ // SSLv23 is a misnomer and will in fact use the best ++ // available protocol, subject to SSL_OP_NO* ++ // constraints. ++ _ctx[sock] = SSL_CTX_new(SSLv23_client_method()); ++ } + if(_ctx[sock] == NULL) { + ERR_print_errors_fp(stderr); + return(-1); +@@ -906,7 +949,7 @@ int SSLOpen(int sock, char *mycert, char + sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + +- SSL_CTX_set_options(_ctx[sock], sslopts); ++ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); + + if (certck) { + SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); +@@ -985,6 +1028,24 @@ int SSLOpen(int sock, char *mycert, char + return(-1); + } + ++ if (outlevel >= O_VERBOSE) { ++ SSL_CIPHER const *sc; ++ int bitsmax, bitsused; ++ ++ const char *ver; ++ ++ ver = SSL_get_version(_ssl_context[sock]); ++ ++ sc = SSL_get_current_cipher(_ssl_context[sock]); ++ if (!sc) { ++ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n")); ++ } else { ++ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax); ++ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"), ++ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax); ++ } ++ } ++ + /* Paranoia: was the callback not called as we expected? */ + if (!_depth0ck) { + report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n")); +diff -up fetchmail-6.3.24/starttls.c.orig fetchmail-6.3.24/starttls.c +--- fetchmail-6.3.24/starttls.c.orig 2017-03-07 12:35:18.964038382 +0100 ++++ fetchmail-6.3.24/starttls.c 2017-03-07 12:35:18.964038382 +0100 +@@ -0,0 +1,37 @@ ++/** \file tls.c - collect common TLS functionality ++ * \author Matthias Andree ++ * \date 2006 ++ */ ++ ++#include "fetchmail.h" ++ ++#include ++ ++#ifdef HAVE_STRINGS_H ++#include ++#endif ++ ++/** return true if user allowed opportunistic STARTTLS/STLS */ ++int maybe_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ /* opportunistic or forced TLS */ ++ return (!ctl->sslproto || strlen(ctl->sslproto)) ++ && !ctl->use_ssl; ++#else ++ (void)ctl; ++ return 0; ++#endif ++} ++ ++/** return true if user requires STARTTLS/STLS, note though that this ++ * code must always use a logical AND with maybe_tls(). */ ++int must_starttls(struct query *ctl) { ++#ifdef SSL_ENABLE ++ return maybe_starttls(ctl) ++ && (ctl->sslfingerprint || ctl->sslcertck ++ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); ++#else ++ (void)ctl; ++ return 0; ++#endif ++} +diff -up fetchmail-6.3.24/tls.c.orig fetchmail-6.3.24/tls.c +--- fetchmail-6.3.24/tls.c.orig 2012-12-13 22:12:27.000000000 +0100 ++++ fetchmail-6.3.24/tls.c 2017-03-07 12:35:18.964038382 +0100 +@@ -1,35 +0,0 @@ +-/** \file tls.c - collect common TLS functionality +- * \author Matthias Andree +- * \date 2006 +- */ +- +-#include "fetchmail.h" +- +-#ifdef HAVE_STRINGS_H +-#include +-#endif +- +-/** return true if user allowed TLS */ +-int maybe_tls(struct query *ctl) { +-#ifdef SSL_ENABLE +- /* opportunistic or forced TLS */ +- return (!ctl->sslproto || !strcasecmp(ctl->sslproto,"tls1")) +- && !ctl->use_ssl; +-#else +- (void)ctl; +- return 0; +-#endif +-} +- +-/** return true if user requires TLS, note though that this code must +- * always use a logical AND with maybe_tls(). */ +-int must_tls(struct query *ctl) { +-#ifdef SSL_ENABLE +- return maybe_tls(ctl) +- && (ctl->sslfingerprint || ctl->sslcertck +- || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1"))); +-#else +- (void)ctl; +- return 0; +-#endif +-} diff --git a/SOURCES/fetchmail-6.3.24-sslv3-in-ssllib-check.patch b/SOURCES/fetchmail-6.3.24-sslv3-in-ssllib-check.patch new file mode 100644 index 0000000..17cf2d7 --- /dev/null +++ b/SOURCES/fetchmail-6.3.24-sslv3-in-ssllib-check.patch @@ -0,0 +1,36 @@ +diff -up fetchmail-6.3.24/config.h.in.orig fetchmail-6.3.24/config.h.in +--- fetchmail-6.3.24/config.h.in.orig 2017-06-13 10:14:37.783983820 +0200 ++++ fetchmail-6.3.24/config.h.in 2017-06-13 10:15:38.532996937 +0200 +@@ -53,6 +53,10 @@ + if you don't. */ + #undef HAVE_DECL_SSLV2_CLIENT_METHOD + ++/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0 ++ if you don't. */ ++#undef HAVE_DECL_SSLV3_CLIENT_METHOD ++ + /* Define to 1 if you have the declaration of `strerror', and to 0 if you + don't. */ + #undef HAVE_DECL_STRERROR +diff -up fetchmail-6.3.24/configure.orig fetchmail-6.3.24/configure +--- fetchmail-6.3.24/configure.orig 2017-06-13 10:23:06.824111065 +0200 ++++ fetchmail-6.3.24/configure 2017-06-13 10:23:43.308129006 +0200 +@@ -10133,6 +10133,18 @@ cat >>confdefs.h <<_ACEOF + #define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl + _ACEOF + ++ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include ++" ++if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl ++_ACEOF ++ + ;; + esac + diff --git a/SOURCES/fetchmail-6.3.24.tar.xz.asc b/SOURCES/fetchmail-6.3.24.tar.xz.asc new file mode 100644 index 0000000..660096b --- /dev/null +++ b/SOURCES/fetchmail-6.3.24.tar.xz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEABECAAYFAlDXMb0ACgkQvmGDOQUufZXJ4ACfUI0C5T+bjZ9JTSOurl2vX2wR +6oQAoPpMe87DHcAWD/7WWlypWCXoIrPE +=6HK1 +-----END PGP SIGNATURE----- diff --git a/SPECS/fetchmail.spec b/SPECS/fetchmail.spec new file mode 100644 index 0000000..4930f40 --- /dev/null +++ b/SPECS/fetchmail.spec @@ -0,0 +1,634 @@ +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} + +Summary: A remote mail retrieval and forwarding utility +Name: fetchmail +Version: 6.3.24 +Release: 7%{?dist} +Source0: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz +Source1: http://download.berlios.de/fetchmail/fetchmail-%{version}.tar.xz.asc +URL: http://fetchmail.berlios.de/ +# For a breakdown of the licensing, see COPYING +License: GPL+ and Public Domain +Group: Applications/Internet +BuildRequires: gettext-devel hesiod-devel krb5-devel openssl-devel +# Patch0: already upstream +Patch0: fetchmail-6.3.24-data-loss.patch +# Patch1: already upstream +Patch1: fetchmail-6.3.24-ssl-backport.patch +# Patch2: already upstream +Patch2: fetchmail-6.3.24-options-usage-manpage.patch +Patch3: fetchmail-6.3.24-sslv3-in-ssllib-check.patch + +%description +Fetchmail is a remote mail retrieval and forwarding utility intended +for use over on-demand TCP/IP links, like SLIP or PPP connections. +Fetchmail supports every remote-mail protocol currently in use on the +Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6, +and IPSEC) for retrieval. Then Fetchmail forwards the mail through +SMTP so you can read it through your favorite mail client. + +Install fetchmail if you need to retrieve mail over SLIP or PPP +connections. + +%prep +%setup -q +%patch0 -p1 -b .data-loss +%patch1 -p1 -b .ssl-backport +%patch2 -p1 -b .options-usage-manpage +%patch3 -p1 -b .sslv3-in-ssllib-check + +%build +%configure --enable-POP3 --enable-IMAP --with-ssl --with-hesiod \ + --enable-ETRN --enable-NTLM --enable-SDPS --enable-RPA \ + --enable-nls --with-kerberos5 --with-gssapi \ + --enable-fallback=no +make + +%install +make install DESTDIR=$RPM_BUILD_ROOT + +# remove fetchmailconf stuff +rm -f $RPM_BUILD_ROOT%{_bindir}/fetchmailconf* +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/fetchmailconf.1* +rm -f $RPM_BUILD_ROOT%{python_sitelib}/fetchmailconf.py* + +%find_lang %name + +%files -f %{name}.lang +%doc COPYING FAQ FEATURES NEWS NOTES README README.SSL TODO +%{_bindir}/fetchmail +%{_mandir}/man1/fetchmail.1* + +%changelog +* Wed Jun 14 2017 Vitezslav Crhonek - 6.3.24-7 +- Fix checking for availability of SSLv3 in openssl library + Resolves: #1458917 + +* Wed Mar 08 2017 Vitezslav Crhonek - 6.3.24-6 +- Fix bogus dates in the %%changelog +- Backport better SSL protocol support and documentation + Resolves: #1273016 +- Minor fixes in options, usage message and man page + Resolves: #949013 + +* Fri Jan 24 2014 Daniel Mach - 6.3.24-5 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 6.3.24-4 +- Mass rebuild 2013-12-27 + +* Thu Apr 25 2013 Vitezslav Crhonek - 6.3.24-3 +- Fix fetchmail loses last line of message if the non-default "mimedecode" option + is enabled and if that line is not properly terminated + Resolves: #955814 + +* Wed Feb 13 2013 Fedora Release Engineering - 6.3.24-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 07 2013 Vitezslav Crhonek - 6.3.24-1 +- Update to fetchmail-6.3.24 + +* Tue Dec 11 2012 Vitezslav Crhonek - 6.3.23-1 +- Update to fetchmail-6.3.23 + +* Mon Sep 03 2012 Vitezslav Crhonek - 6.3.22-1 +- Update to fetchmail-6.3.22 + +* Mon Aug 27 2012 Vitezslav Crhonek - 6.3.21-5 +- Fix issues found by fedora-review utility in the spec file + +* Thu Jul 19 2012 Fedora Release Engineering - 6.3.21-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Mar 13 2012 Vitezslav Crhonek - 6.3.21-3 +- Remove obsolete fetchmailconf stuff + +* Fri Jan 13 2012 Fedora Release Engineering - 6.3.21-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Aug 22 2011 Vitezslav Crhonek - 6.3.21-1 +- Update to fetchmail-6.3.21 + Resolves: #732400 + +* Tue Jun 07 2011 Vitezslav Crhonek - 6.3.20-1 +- Update to fetchmail-6.3.20 + +* Thu Jun 02 2011 Vitezslav Crhonek - 6.3.19-5 +- Fix CVE-2011-1947 + +* Mon Mar 07 2011 Vitezslav Crhonek - 6.3.19-4 +- Remove server(smtp) dependency + +* Wed Feb 09 2011 Vitezslav Crhonek - 6.3.19-3 +- Disable /usr/bin/procmail fallback + Resolves: #672452 + +* Tue Feb 08 2011 Fedora Release Engineering - 6.3.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Dec 13 2010 Vitezslav Crhonek - 6.3.19-1 +- Update to fetchmail-6.3.19 + +* Tue Oct 12 2010 Vitezslav Crhonek - 6.3.18-1 +- Update to fetchmail-6.3.18 + +* Thu May 6 2010 Vitezslav Crhonek - 6.3.17-1 +- Update to fetchmail-6.3.17 + +* Wed Apr 7 2010 Vitezslav Crhonek - 6.3.16-1 +- Update to fetchmail-6.3.16 + +* Mon Mar 29 2010 Vitezslav Crhonek - 6.3.15-1 +- Update to fetchmail-6.3.15 + +* Tue Feb 9 2010 Vitezslav Crhonek - 6.3.14-1 +- Update to fetchmail-6.3.14 +- Use xz compressed upstream tarball + +* Tue Nov 3 2009 Vitezslav Crhonek - 6.3.13-1 +- Update to fetchmail-6.3.13 + +* Wed Oct 7 2009 Vitezslav Crhonek - 6.3.12-1 +- Update to fetchmail-6.3.12 + +* Fri Aug 21 2009 Tomas Mraz - 6.3.11-3 +- rebuilt with new openssl + +* Tue Aug 18 2009 Vitezslav Crhonek - 6.3.11-2 +- Regression bug fix for fetchmail 6.3.11 + +* Thu Aug 6 2009 Vitezslav Crhonek - 6.3.11-1 +- Update to fetchmail-6.3.11 +- Remove addrconf patch (upstream now) + +* Fri Jul 24 2009 Fedora Release Engineering - 6.3.9-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jun 09 2009 Adam Jackson 6.3.9-4 +- Rebuild to get rid of libkrb4 dependency. + +* Tue Feb 24 2009 Fedora Release Engineering - 6.3.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 16 2009 Tomas Mraz - 6.3.9-2 +- rebuild with new openssl + +* Wed Dec 3 2008 Vitezslav Crhonek - 6.3.9-1 +- Update to fetchmail-6.3.9 + +* Thu Sep 18 2008 Vitezslav Crhonek - 6.3.8-8 +- Rediff all patches to work with patch --fuzz=0 +- Replace server(smtp) requires by procmail + Resolves: #66396 + +* Fri Jun 27 2008 Vitezslav Crhonek - 6.3.8-7 +- Fix CVE-2008-2711 + +* Wed Mar 26 2008 Vitezslav Crhonek - 6.3.8-6 +- Replace smtpdaemon requires by server(smtp) requires + Resolves: #66396 + +* Mon Feb 11 2008 Vitezslav Crhonek - 6.3.8-5 +- Fix Buildroot + +* Wed Dec 5 2007 Vitezslav Crhonek - 6.3.8-4 +- Rebuild + +* Tue Sep 4 2007 Vitezslav Crhonek - 6.3.8-3 +- Fix CVE-2007-4565 + +* Thu Aug 23 2007 Vitezslav Crhonek - 6.3.8-2 +- fix license +- rebuild + +* Mon Jul 2 2007 Vitezslav Crhonek - 6.3.8-1 +- Update to fetchmail-6.3.8 (#246445) + +* Mon Feb 19 2007 Miloslav Trmac - 6.3.7-1 +- Update to fetchmail-6.3.7 + +* Mon Jan 22 2007 Miloslav Trmac - 6.3.6-2 +- Let KPOP use PASS again + Resolves: #223661 + +* Sat Jan 6 2007 Miloslav Trmac - 6.3.6-1 +- Update to fetchmail-6.3.6 (CVE-2006-5867, CVE-2006-5974) + +* Wed Nov 1 2006 Miloslav Trmac - 6.3.5-1 +- Update to fetchmail-6.3.5 +- Fix some rpmlint warnings + +* Sun Sep 24 2006 Miloslav Trmac - 6.3.4-2 +- Don't increase the certificate search path on each poll (#206346) + +* Wed Jul 12 2006 Jesse Keating - 6.3.4-1.1 +- rebuild + +* Mon May 1 2006 Miloslav Trmac - 6.3.4-1 +- Update to fetchmail-6.3.4 + +* Sat Apr 1 2006 Miloslav Trmac - 6.3.3-3 +- Fix fetchmail-6.3.3-resolv.patch + +* Fri Mar 31 2006 Miloslav Trmac - 6.3.3-2 +- Fix some type mismatches on 64-bit architectures +- Fix checking for res_* on architectures with newer glibc ABI + +* Fri Mar 31 2006 Miloslav Trmac - 6.3.3-1 +- Update to fetchmail-6.3.3 + +* Fri Feb 10 2006 Jesse Keating - 6.3.2.1-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 6.3.2.1-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 30 2006 Miloslav Trmac - 6.3.2.1-1 +- Update to fetchmail-6.3.2.1 + +* Mon Jan 23 2006 Miloslav Trmac - 6.3.2-1 +- Update to fetchmail-6.3.2 (CVE-2006-0321) + +* Tue Dec 20 2005 Miloslav Trmac - 6.3.1-1 +- Update to fetchmail-6.3.1 (CVE-2005-4348) + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Dec 2 2005 Miloslav Trmac - 6.3.0-1 +- Update to fetchmail-6.3.0 +- Remove nohesiod and nokerberos conditionals + +* Wed Nov 30 2005 Miloslav Trmac - 6.2.9-0.1.rc10 +- Update to fetchmail-6.2.9-rc10 + +* Wed Nov 9 2005 Miloslav Trmac - 6.2.5.2-2 +- Rebuild with new openssl +- Ship README.SSL, drop html documentation copies + +* Fri Jul 22 2005 Miloslav Trmac - 6.2.5.2-1 +- Update to fetchmail-6.2.5.2 + +* Thu Jul 21 2005 Miloslav Trmac - 6.2.5.1-1 +- Update to fetchmail-6.2.5.1 to fix CAN-2005-2335 (#163819) +- Fix crash on empty Message-ID + +* Mon Jul 18 2005 Karsten Hopp 6.2.5-10 +- Buildrequires gettext-devel for AM_GNU_GETTEXT macro + +* Sat Jun 11 2005 Miloslav Trmac - 6.2.5-9 +- Fix fetchmailconf handling of unspecified server port + +* Tue Jun 7 2005 Miloslav Trmac - 6.2.5-8 +- Fix APOP and RPOP (#127315) +- Don't link to libdl + +* Wed Mar 16 2005 Nalin Dahyabhai 6.2.5-7 +- stop using one of the libkrb5 private functions + +* Thu Sep 30 2004 John Dennis 6.2.5-6 +- fix bug #113492 + after expunge, dovecot hangs fetchmail if new e-mail came in + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed May 19 2004 Nalin Dahyabhai 6.2.5-4 +- turn on SDPS (#123599) and RPA + +* Wed May 19 2004 Joe Orton 6.2.5-3 +- pass AI_ADDRCONFIG to getaddrinfo to prevent pointless AAAA lookups + +* Wed Apr 21 2004 Nalin Dahyabhai 6.2.5-2 +- distill out portions of pop3.c which don't affect capa probing + +* Fri Apr 16 2004 Nalin Dahyabhai +- switch to Robert Scheck's fix for capa probing endless loop on pop servers + which don't support capa (#115474) + +* Thu Apr 15 2004 Nalin Dahyabhai +- split the use-correct-service-name and check-for-gssapi-in-pop portions of + gssapi+pop fix into pieces +- only trigger pop capa probe if authentication method != password + +* Mon Mar 15 2004 Nalin Dahyabhai 6.2.5-1 +- update to 6.2.5, per Eric's recommendation + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Mon Feb 2 2004 Nalin Dahyabhai 6.2.0-9 +- add patch to ensure that stuffed warnings always end in cr-lf (#114470) + +* Tue Nov 25 2003 Nalin Dahyabhai +- blah, merge multiple patches for krb5-config things into one + +* Fri Nov 14 2003 Nalin Dahyabhai +- fix gssapi support authenticating to imap, even when connected to pop + +* Thu Nov 13 2003 Nalin Dahyabhai +- munge, munge, munge. kpop build resurrected, at least for now. + +* Fri Oct 10 2003 Nalin Dahyabhai 6.2.0-8 +- add patch to not truncate headers which have been munged to include a + hostname where one didn't exist before (CAN-2003-0792), backport from fix + for 6.2.4 included in 6.2.5 + +* Thu Oct 9 2003 Nalin Dahyabhai +- add patch from Markus Friedl to fix possible buffer underrun (CAN-2003-0790) + +* Tue Sep 23 2003 Florian La Roche +- allow compiling without hesiod + +* Tue Jun 24 2003 Nalin Dahyabhai 6.2.0-6 +- rebuild + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Apr 29 2003 Nalin Dahyabhai +- update URLs + +* Wed Jan 22 2003 Tim Powers 6.2.0-3 +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 6.2.0-2 +- rebuild + +* Fri Dec 13 2002 Nalin Dahyabhai 6.2.0-1 +- update to 6.2.0 + +* Mon Nov 4 2002 Nalin Dahyabhai 6.1.2-1 +- update to 6.1.2 + +* Fri Oct 4 2002 Nalin Dahyabhai 6.1.0-1 +- add -L/usr/kerberos/%%{_lib} to LDFLAGS so that the Kerberos libraries will + be found again + +* Wed Sep 25 2002 Nalin Dahyabhai +- update to 6.0.0 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Tue Jun 11 2002 Nalin Dahyabhai 5.9.0-15 +- remove and obsolete the fetchmailconf subpackage (tkinter is gone, so it + can't be run) + +* Mon Jun 3 2002 Nalin Dahyabhai 5.9.0-14 +- require hesiod at build-time + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Fri May 17 2002 Nalin Dahyabhai 5.9.0-12 +- rebuild in new environment +- require autoconf213 +- enable hesiod support + +* Wed May 1 2002 Nalin Dahyabhai 5.9.0-11 +- rebuild + +* Wed May 1 2002 Nalin Dahyabhai 5.9.0-10 +- reject bogusly large message counts on 64-bit systems, too + +* Wed Mar 27 2002 Nalin Dahyabhai 5.9.0-8 +- configure with --enable-NTLM, not --enable-ntlm, ditto for ETRN, POP3, IMAP + +* Mon Mar 11 2002 Nalin Dahyabhai +- add patch to reject bogusly large message counts, backported from 5.9.10 +- build for RHL 6.2 errata + +* Fri Feb 22 2002 Nalin Dahyabhai 5.9.0-5 +- rebuild + +* Wed Jan 23 2002 Nalin Dahyabhai 5.9.0-4 +- rebuild in new environment + +* Wed Jan 09 2002 Tim Powers 5.9.0-3 +- automated rebuild + +* Tue Nov 13 2001 Nalin Dahyabhai 5.9.0-2 +- remove explicit dependency on krb5-libs + +* Mon Aug 13 2001 Nalin Dahyabhai 5.9.0-1 +- update to 5.9.0 final release + +* Thu Aug 9 2001 Nalin Dahyabhai +- update to 5.8.17, candidate for 5.9.0 + +* Tue Jul 17 2001 Nalin Dahyabhai +- update to 5.8.14 + +* Fri Jul 6 2001 Nalin Dahyabhai +- update to 5.8.12 + +* Mon Jul 2 2001 Nalin Dahyabhai +- update to 5.8.11 + +* Mon Jun 25 2001 Nalin Dahyabhai +- fetchmailconf should depend on tkinter (#42156) + +* Thu Jun 21 2001 Nalin Dahyabhai +- update to 5.8.8 + +* Tue Jun 19 2001 Nalin Dahyabhai +- update to 5.8.7 + +* Tue Jun 12 2001 Nalin Dahyabhai +- update to 5.8.6, which approaches a 5.9.0 + +* Wed May 30 2001 Nalin Dahyabhai +- update to 5.8.5 + +* Tue May 22 2001 Nalin Dahyabhai +- update to 5.8.4 + +* Fri Apr 27 2001 Nalin Dahyabhai +- rebuild in new environment + +* Tue Apr 17 2001 Nalin Dahyabhai +- update to 5.8.1, which includes patches we were using + +* Wed Apr 4 2001 Nalin Dahyabhai +- fix handling of "any" authentication (#32527) +- accept more arguments to --auth +- parse "auth password" correctly in the configuration file + +* Wed Mar 21 2001 Nalin Dahyabhai +- fall back to plain auth if gssapi fails (#32527) + +* Tue Mar 13 2001 Nalin Dahyabhai +- properly handle "nospambounce" in the config file (#31234) + +* Mon Mar 12 2001 Nalin Dahyabhai +- update to 5.7.4, which merges our patches + +* Mon Mar 5 2001 Nalin Dahyabhai +- update to 5.7.2 +- call AC_PROG_MAKE_SET in configure.in +- fix various things which cause it to not compile if gssapi is enabled + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Fri Feb 23 2001 Trond Eivind Glomsrød +- langify + +* Mon Feb 12 2001 Nalin Dahyabhai +- work around sockets without an sa_len field + +* Fri Feb 9 2001 Nalin Dahyabhai +- fix for exception when adding hosts in fetchmailconf (#26387) + +* Thu Feb 8 2001 Nalin Dahyabhai +- add Todd Sabin's patch for handling untagged responses during CRAM-MD5 auth + +* Mon Jan 15 2001 Nalin Dahyabhai +- enable IPv6 support (#24033) + +* Tue Nov 28 2000 Nalin Dahyabhai +- enable NLS (#21419) + +* Mon Nov 27 2000 Nalin Dahyabhai +- update to 5.6.0 +- revert "untagged" patch, which went upstream + +* Wed Nov 8 2000 Nalin Dahyabhai +- patch to handle untagged responses during IMAP-GSS authentication +- update to 5.5.5 + +* Thu Aug 17 2000 Nalin Dahyabhai +- enable SSL support + +* Sat Aug 12 2000 Nalin Dahyabhai +- update to 5.5.0 +- change Copyright: to License: GPL + +* Tue Aug 8 2000 Nalin Dahyabhai +- back out MDA patch; sendmail started listening by default again + +* Thu Aug 3 2000 Nalin Dahyabhai +- patch to use procmail as an MDA by default +- patch to not run makedepend + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Sun Jul 2 2000 Nalin Dahyabhai +- update to 5.4.3 + +* Thu Jun 29 2000 Nalin Dahyabhai +- fix a typo in 5.4.2 + +* Wed Jun 28 2000 Matt Wilson +- fixed configure arguments to not have a continuation at the end of the last + one + +* Tue Jun 27 2000 Nalin Dahyabhai +- update to 5.4.2 + +* Fri Jun 9 2000 Nalin Dahyabhai +- update to 5.4.1 +- FHS fixes, with mandir override +- change fetchmailconf.1 symlink to an include + +* Thu May 25 2000 Nalin Dahyabhai +- fix Kerberos configure patch to work correctly for krb5 1.0, too + +* Fri May 19 2000 Nalin Dahyabhai +- update to 5.4.0 +- rework Kerberos dependencies + +* Fri Apr 21 2000 Nalin Dahyabhai +- update to 5.3.8 + +* Tue Apr 4 2000 Bill Nottingham +- eliminate explicit krb5-configs dependency + +* Mon Mar 6 2000 Bernhard Rosenkränzer +- 5.3.1 - This fixes Bugs #9982 and #9987 + +* Wed Mar 1 2000 Nalin Dahyabhai +- make kerberos support conditional at build-time + +* Wed Mar 1 2000 Bill Nottingham +- integrate kerberos support into main tree + +* Fri Feb 25 2000 Nalin Dahyabhai +- Add Kerberos and GSS authenticator support + +* Fri Feb 25 2000 Cristian Gafton +- version 5.3.0 has a correct version of the rfc822 patch + +* Fri Feb 25 2000 Jeff Johnson +- fix length of rfc822 headers in strcncasecmp(). + +* Tue Feb 15 2000 Bernhard Rosenkränzer +- 5.2.8 (fixes the POP3-UIDL bug) +- Fix up the fetchmailconf man page symlink + +* Fri Feb 11 2000 Cristian Gafton +- version 5.2.7 +- add patch so that fetchmailconf will not output ssl configure statements + is no ssl is configured + +* Mon Jan 31 2000 Cristian Gafton +- rebuild to fix deps +- man pages are compressed +- enable %%clean + +* Tue Jan 11 2000 Bernhard Rosenkraenzer +- 5.2.3 +- fetchmailconf requires fetchmail = %%{version} +- fix compilation + +* Mon Dec 27 1999 Bernhard Rosenkraenzer +- 5.2.2 + +* Thu Sep 23 1999 Preston Brown +- got 5.1.0, fixes potential buffer overflow... + +* Sat Jun 12 1999 Jeff Johnson +- update to 5.0.4. + +* Mon Apr 05 1999 Cristian Gafton +- 5.0.0 + +* Tue Mar 30 1999 Preston Brown +- subpackage for fetchmailconf + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 2) + +* Thu Dec 17 1998 Cristian Gafton +- version 4.7.0 +- build against glibc 2.1 + +* Sat Sep 19 1998 Jeff Johnson +- correct typo in dangling symlink fix. + +* Wed Sep 09 1998 Cristian Gafton +- update to 4.5.8 + +* Wed Jul 22 1998 Jeff Johnson +- update to 4.5.3. + +* Fri May 08 1998 Cristian Gafton +- fixed spelung eror in the decsriptoin + +* Thu May 07 1998 Cristian Gafton +- new version 4.4.4 fixes a lot of bugs + +* Fri Apr 24 1998 Prospector System +- translations modified for de, fr, tr + +* Thu Apr 09 1998 Cristian Gafton +- upgraded to 4.4.1 +- buildroot + +* Thu Oct 23 1997 Michael Fulbright +- Updated to 4.3.2 using SRPM from Eric Raymond + +* Thu Jul 10 1997 Erik Troan +- built against glibc