Pullup ticket 3108 - requested by tez and tron

security update

Revisions pulled up:
- pkgsrc/mail/fetchmail/Makefile	1.173
- pkgsrc/mail/fetchmail/distinfo	1.43
- pkgsrc/mail/fetchmailconf/Makefile	1.79

Files added:
pkgsrc/mail/fetchmail/MESSAGE
pkgsrc/mail/fetchmail/patches/patch-aa

   -------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   tez
   Date:           Sat May  8 15:34:59 UTC 2010

   Modified Files:
           pkgsrc/mail/fetchmail: Makefile distinfo
   Added Files:
           pkgsrc/mail/fetchmail: MESSAGE

   Log Message:
   Update to 6.3.17 per PR#43269

   fetchmail-6.3.17 (released 2010-05-06, 25767 LoC):

   # SECURITY FIX
   * CVE-2010-1167: Fetchmail before release 6.3.17 did not properly sanitize
     external input (mail headers and UID). When a multi-character locale (such as

   # FEATURES
   * Fetchmail now supports a --sslcertfile <file> option to specify a "CA bundle"
     file (a file that contains trusted CA certificates). Since these bundled CA
     files do not require c_rehash to be run, they are easier to use and immune to
     OpenSSL library updates that affect the hash function.
   * Fetchmail now supports a FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
     environment variable to force loading the default SSL CA certificate
     locations even if --sslcertfile or --sslcertpath is used.
     If neither option is in effect, fetchmail loads the default locations.

   # REGRESSION FIX
   * Fix string handling in rcfile scanner, which caused fetchmail to misparse a
     run control file in certain circumstances.  Fixes BerliOS bug #14257.
     Patch by Michael Banack.  This fixes a regression introduced before 6.3.0.

   # BUG FIXES
   * Plug memory leak when using a "defaults" entry in the run control file.
   * Do not print SSL certificate mismatches unless verbose or --sslcertck is
     enabled.
   * Do not lose "set invisible" in fetchmailconf. (Michael Barnack)

   # CHANGES
   * Usability: SSL certificate chains are fully printed in -v -v mode, and there
     are now helpful pointers to --sslcertpath and c_rehash for "unable to get
     local issuer certificate" and self-signed certificates -- these usually hint
     to missing root signing CAs in the certs directory.
   * Several fixes for compiler (GCC, Intel C++, CLang) and autotools warnings
   * Memory allocation failures will now cause abnormal program abort (SIGABRT),
     no longer an exit with unspecified code.

   # DOCUMENTATION
   * Fix table of global option to read "set softbounce" where there used to be a
     2nd copy of "set spambounce".  Patch by Michael Banack, BerliOS Bug #17067.
   * In the --sslcertpath description, mention that OpenSSL upgrade (and a 0.9.X
     to 1.0.0 upgrade in particular) may require running c_rehash.

   # TRANSLATION UPDATES
     [zh_CN] Chinese/simplified (Ji Zheng-Yu)
     [cs]    Czech (Petr Pisar)
     [nl]    Dutch (Erwin Poeze)
     [fr]    French (Fr\xc3<A9>d\xc3<A9>ric Marchal)
     [de]    German
     [id]    Indonesian (Andhika Padmawan)
     [it]    Italian (Vincenzo Campanella)
     [ja]    Japanese (Takeshi Hamasaki)
     [pl]    Polish (Jakub Bogusz)
     [sk]    Slovak (Marcel Telka)
     [vi]    Vietnamese (Clytie Siddall)

   # KNOWN BUGS AND WORKAROUNDS:
     (this section floats upwards through the NEWS file so it stays with the
     current release information - however, it was stuck with 6.3.8 for a while)
   * fetchmail does not handle messages without Message-ID header well
     (See sourceforge.net bug #780933)
   * BSMTP is mostly untested and errors can cause corrupt output.
   * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
     64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
     fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
     so compiling 32-bit SPARC code should not cause any difficulties.
   * fetchmail does not track pending deletes over crashes
   * the command line interface is sometimes a bit stubborn, for instance,
     fetchmail -s doesn't work with a daemon running

   fetchmail-6.3.16 (released 2010-04-06, 25574 LoC):

   # BUG FIX
   * Fix --interface option, broken in 6.3.15. Reported by Vladmimir Stavrinov.
     Fixes Debian Bug #576717.

   # CHANGE
   * Call OpenSSL_add_all_algorithms(). This is needed to support non-mandatory
     and non-standard algorithms in certificates.
     Sjoerd Simons, to fix Debian Bug #576430.
     OpenSSL 0.9.8* does not load - for instance - the SHA256 digest by default.
     Reported as OpenSSL RT#2224.

   fetchmail-6.3.15 (released 2010-03-28, 25572 LoC):

   # FEATURE
   * Fetchmail now supports a bad-header command line or rcfile option that takes
     exactly one argument, accept or reject (default).  This specifies how messages
     with bad headers retrieved from the current server are to be treated.

   # BUG FIXES
   * In the rcfile, recognize "local" as abbreviation for "localdomains", as
     documented. The short form has not ever worked since this feature was added in
     January 1997. Reported by Fr\xc3<A9>d\xc3<A9>ric Marchal.
   * Do not close stdout when using mda and "bsmtp -" at the same time.
   * Log operating system errors when BSMTP writes fail.
   * Fix verbose mode progress formatting regression from 6.3.10; SMTP trace lines
     were no longer on a line of their own. Reported by Melchior Franz.
   * Check seteuid() return value and abort running MDA if switch fails.
   * Set global flags in a consistent manner. Make --nosoftbounce and
     --nobounce work from command line (these used to work in rcfiles).
     Reported and fix confirmed working by N.J. Mann. (Sunil Shetye)
   * Properly import h_errno declarations, even on systems where h_errno isn't a
     macro. (Adds ./configure check, fixes Cygwin dllimport warnings.)

   # CHANGES
   * The repository has been converted and moved from the Subversion (SVN) format
     kindly hosted by Graham Wilson over the past years to Git format hosted on
     Gitorious.org.  My deepest thanks to Graham Wilson for this service that
     kept us going when BerliOS's Subversion service was faulty in its early days.
   * This opportunity was used to convert BRANCH_6-2 and BRANCH_1-9-9 to
     GnuPG-signed tags, as a sign that these are now closed.
   * The outdated SVN trunk is now called "oldtrunk" in Git just to save the work
     for future reference. All development in the past few years was on BRANCH_6-3.
   * master was branched from BRANCH_6-3.  BRANCH_6-3 is now obsolete (and in fact
     was also converted to a tag to record where the conversion from SVN to Git
     took place).
   * "make check" now skips HTML validation if xmllint or XHTML DTD are missing.

   # DOCUMENTATION
   * Web site and documentation were adjusted to reflect the SVN->Git move.
   * The fetchmail manual page is now much clearer on the user id switching
     (seteuid) when using --mda while running as the super user.

   # TRANSLATION UPDATES, by language name
   * [zh_CN] Chinese (Simplified), by Ji Zheng-Yu
   * [cs]    Czech, by Petr Pisar
   * [nl]    Dutch, by Erwin Poeze
   * [fr]    French, by Fr\xc3<A9>d\xc3<A9>ric Marchal
   * [de]    German
   * [id]    Indonesian, by Andhika Padmawan
   * [it]    Italian, by Vincenzo Campanella
   * [ja]    Japanese, by Takeshi Hamasaki
   * [pl]    Polish, by Jakub Bogusz
   * [vi]    Vietnamese, by Clytie Siddall


   To generate a diff of this commit:
   cvs rdiff -u -r0 -r1.1 pkgsrc/mail/fetchmail/MESSAGE
   cvs rdiff -u -r1.171 -r1.172 pkgsrc/mail/fetchmail/Makefile
   cvs rdiff -u -r1.41 -r1.42 pkgsrc/mail/fetchmail/distinfo

   -------------------------------------------------------------------------

   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Sun May  9 11:45:28 UTC 2010

   Modified Files:
           pkgsrc/mail/fetchmail: Makefile distinfo
   Added Files:
           pkgsrc/mail/fetchmail/patches: patch-aa

   Log Message:
   Add patch by Matthias Andree to avoid warnings about insecure connections
   if SSL fingerprints are used.


   To generate a diff of this commit:
   cvs rdiff -u -r1.172 -r1.173 pkgsrc/mail/fetchmail/Makefile
   cvs rdiff -u -r1.42 -r1.43 pkgsrc/mail/fetchmail/distinfo
   cvs rdiff -u -r0 -r1.8 pkgsrc/mail/fetchmail/patches/patch-aa

   -------------------------------------------------------------------------

   Module Name:    pkgsrc
   Committed By:   tron
   Date:           Sun May  9 11:54:21 UTC 2010

   Modified Files:
           pkgsrc/mail/fetchmailconf: Makefile

   Log Message:
   Unbreak "fetchmailconf" package by updating it to version 6.3.17 as well.
   Changes since version 6.3.14:

   # BUG FIXES
   * Do not lose "set invisible" in fetchmailconf. (Michael Barnack)


   To generate a diff of this commit:
   cvs rdiff -u -r1.78 -r1.79 pkgsrc/mail/fetchmailconf/Makefile

5 files changed, 49 insertions, 8 deletions

diff --git a/mail/fetchmail/MESSAGE b/mail/fetchmail/MESSAGE
new file mode 100644
index 00000000000..c6a3f4dbd83
--- /dev/null
+++ b/mail/fetchmail/MESSAGE
@@ -0,0 +1,19 @@
+===========================================================================
+$NetBSD: MESSAGE,v 1.1.2.2 2010/05/09 18:10:13 spz Exp $
+
+If the upgrade you did encompassed an upgrade to OpenSSL 1.0.0 or newer,
+you may need to run c_rehash on your certificate directories, particularly
+if you are using local certs directories (f. i. through fetchmail's
+--sslcertpath option).
+
+Reason: OpenSSL 1.0.0, relative to earlier versions, uses a different hash
+for the symbolic links (symlinks) in its certs/ directory, so you need to
+recreate the symlinks by running c_rehash /etc/ssl/certs (adjust this to
+where your installation keeps its certificates), and you cannot easily
+share this certs directory with applications linked against older OpenSSL
+versions.
+
+See the fetchmail FAQ for more information:
+	http://fetchmail.berlios.de/fetchmail-FAQ.html#R14
+
+===========================================================================
diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
index e539cb44e26..898d3b140ee 100644
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.171 2010/02/14 13:05:31 tnn Exp $
+# $NetBSD: Makefile,v 1.171.2.1 2010/05/09 18:10:13 spz Exp $
 
 # Note to updaters: mail/fetchmailconf reaches over here, make sure it builds.
-DISTNAME=	fetchmail-6.3.14
+DISTNAME=	fetchmail-6.3.17
+PKGREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	http://download.berlios.de/fetchmail/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/mail/fetchmail/distinfo b/mail/fetchmail/distinfo
index 1049b65d8c4..d6a343459e7 100644
--- a/mail/fetchmail/distinfo
+++ b/mail/fetchmail/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.41 2010/02/14 09:46:00 wiz Exp $
+$NetBSD: distinfo,v 1.41.2.1 2010/05/09 18:10:13 spz Exp $
 
-SHA1 (fetchmail-6.3.14.tar.bz2) = 2bc18f121d5b99e22584970c6f8b62bb65430c4c
-RMD160 (fetchmail-6.3.14.tar.bz2) = 62001764dead52a66cdec239209493f1503fe397
-Size (fetchmail-6.3.14.tar.bz2) = 1621188 bytes
+SHA1 (fetchmail-6.3.17.tar.bz2) = d9ffc9a43f08f9ee9394a959834606eb41141d47
+RMD160 (fetchmail-6.3.17.tar.bz2) = a908da76b9d729dee7c6457b89a342be677bd690
+Size (fetchmail-6.3.17.tar.bz2) = 1642598 bytes
+SHA1 (patch-aa) = 9885a4f063b428d68c7bff06c1402571f0e21c82
diff --git a/mail/fetchmail/patches/patch-aa b/mail/fetchmail/patches/patch-aa
new file mode 100644
index 00000000000..8adba05c744
--- /dev/null
+++ b/mail/fetchmail/patches/patch-aa
@@ -0,0 +1,20 @@
+$NetBSD: patch-aa,v 1.8.2.2 2010/05/09 18:10:13 spz Exp $
+
+Don't complain about insecure connection if a SSL fingerprint is provided.
+Patch taken from here:
+
+http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg780308.html
+
+--- socket.c.orig	2010-04-30 00:29:05.000000000 +0100
++++ socket.c	2010-05-09 12:40:58.000000000 +0100
+@@ -1009,8 +1009,8 @@
+ 		}
+ 	}
+ 
+-	if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK
+-|| !_verify_ok)) {
++	if (!certck && !fingerprint &&
++		(SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) {
+ 		report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n"));
+ 	}
+ 
diff --git a/mail/fetchmailconf/Makefile b/mail/fetchmailconf/Makefile
index 1900801d45d..559119fc6dc 100644
--- a/mail/fetchmailconf/Makefile
+++ b/mail/fetchmailconf/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.78 2010/02/14 13:06:32 tnn Exp $
+# $NetBSD: Makefile,v 1.78.2.1 2010/05/09 18:10:13 spz Exp $
 
-DISTNAME=	fetchmail-6.3.14
+DISTNAME=	fetchmail-6.3.17
 PKGNAME=	${DISTNAME:S/fetchmail/fetchmailconf/}
 CATEGORIES=	mail
 MASTER_SITES=	http://download.berlios.de/fetchmail/