Pullup ticket #3454 - requested by tron

mail/fetchmail security update

Revisions pulled up:
- mail/fetchmail/Makefile                                       1.176
- mail/fetchmail/distinfo                                       1.44
- mail/fetchmail/patches/patch-aa                               removed
- mail/fetchmailconf/Makefile                                   1.80

---
   Module Name:	pkgsrc
   Committed By:	obache
   Date:		Thu Jun  9 11:52:34 UTC 2011

   Modified Files:
   	pkgsrc/mail/fetchmail: Makefile distinfo
   	pkgsrc/mail/fetchmailconf: Makefile
   Removed Files:
   	pkgsrc/mail/fetchmail/patches: patch-aa

   Log Message:
   Update fetchmail to 6.3.20.
   Requested by PR#45030.

   fetchmail-6.3.20 (released 2011-06-06, 26005 LoC):

   # SECURITY BUG FIXES
   * CVE-2011-1947:
     STARTTLS: Fetchmail runs the IMAP STARTTLS or POP3 STLS negotiation with the
     set timeout (default five minutes) now. This was reported missing, with
     observed fetchmail freezes beyond a week, by Thomas Jarosch.
        SSL-wrapped connections were unaffected by this timeout, so users of older
     versions can force ssl-wrapped connections -- if supported by the server --
     with the --ssl command line or ssl rcfile option.
     See fetchmail-SA-2011-01.txt for further details.

   # BUG FIXES
   * IMAP: Do not search for UNSEEN messages in ranges. Usually, there are very few
     new messages and most of the range searches result in nothing. Instead, split
     the long response to make the IMAP driver think that there are multiple lines
     of response. (Sunil Shetye)
   * Do not print "skipping message" for old messages even in verbose mode. If
     there are too many old messages, the logs just get filled without any real
     activity. (Sunil Shetye) (suggested by Yunfan Jiang)
   * Build: fetchmail now always uses its own MD5 implementation rather than trying
     to find a system library with matched header. The library and header variants
     found on systems are too diverse, and the code size saving is not worth any
     more wasted user or programmer time.

   # CHANGES
   * Call strlen() only once when removing CRLF from a line. (Sunil Shetye)
   * fetchmail sets Internet domain sockets to "keepalive" mode now. Note that
     there is no portable way to configure actual timeouts for this mode, and some
     systems only support a system-wide timeout setting. fetchmail does not
     attempt to tune the time spans of keepalive mode.

   # TRANSLATION UPDATES
     [cs]    Chech (Petr Pisar)
     [nl]    Dutch (Erwin Poeze)
     [fr]    French (Frédéric Marchal)
     [de]    German (Matthias Andree)
     [ja]    Japanese (Takeshi Hamasaki)
     [pl]    Polish (Jakub Bogusz)
     [sk]    Slovak (Marcel Telka)

   # KNOWN BUGS AND WORKAROUNDS
     (this section floats upwards through the NEWS file so it stays with the
     current release information - however, it was stuck with 6.3.8 for a while)
   * fetchmail does not handle messages without Message-ID header well
     (See sourceforge.net bug #780933)
   * BSMTP is mostly untested and errors can cause corrupt output.
   * Sun Workshop 6 (SPARC) is known to miscompile the configuration file lexer in
     64-bit mode.  Either compile 32-bit code or use GCC to compile 64-bit
     fetchmail.  Note that fetchmail doesn't take advantage of 64-bit code,
     so compiling 32-bit SPARC code should not cause any difficulties.
   * fetchmail does not track pending deletes over crashes.
   * the command line interface is sometimes a bit stubborn, for instance,
     fetchmail -s doesn't work with a daemon running.
   * Linux systems may return duplicates of an IP address in some circumstances if
     no or no global IPv6 addresses are configured.
     (No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
   * Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
     messages. This will not be fixed, because the maintainer has no Kerberos 5
     server to test against. Use GSSAPI.

   fetchmail-6.3.19 (released 2010-12-10, 25945 LoC):

   # ERRATUM NOTICE ISSUED
   * fetchmail 6.3.18 contains several bug fixes that were considered sufficiently
     grave to warrant the issue of an erratum notice, fetchmail-EN-2010-03.txt.

   # BUG FIXES
   * When specifying multiple local multidrop lists, do not lose wildcard flag.
     (Affects "user foo is bar baz * is joe here")
   * In multidrop configurations, an asterisk can now appear anywhere in the list
     of local users, not just at the end.
   * In multidrop mode, header parsing is now more verbose in -vv mode, so that it
     becomes possible to see which header is used.
   * Make --antispam work from command line (these used to work in rcfiles).
     Reported by Kees Bakker, BerliOS Bug #17599. (Sunil Shetye)
   * Smoke test XHTML 1.1 validation, and if it fails, skip validating HTML
     documents.  Skip validating Mailbox-Names-UTF7.html. Several systems have
     broken XHTML 1.1 DTD installations that jeopardize the build.
     Reported by Mihail Nechkin against FreeBSD port.
     Workaround for 6.3.18: build in a separate directory, i. e:
     mkdir build && cd build && ../configure --options-go-here
   * Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
   * Demote GSSAPI verbose/debug syslog to INFO severity. Requested by Carlos E. R.
     and Derek Simkowiak via the fetchmail-users@ mailing list.
   * Do STARTTLS/STLS negotiation in IMAP/POP3 if it is mandatory even if the
     server capabilities do not show support for upgradation to TLS.
     To use this, configure --sslproto tls1. (Sunil Shetye)
   * IMAP: Understand empty strings as FETCH response, seen on Yahoo. Reported by
     Yasin Malli to fetchmail-users@ 2010-12-10.
     Note that fetchmail continues to expect literals as FETCH response for now.

   # DOCUMENTATION
   * The manual page now links to IANA for GSSAPI service names.

   # TRANSLATION UPDATES
     [cs]    Czech (Petr Pisar)
     [fr]    French (Frédéric Marchal)
     [de]    German
     [it]    Italian (Vincenzo Campanella)
     [pl]    Polish (Jakub Bogusz)

   fetchmail-6.3.18 (released 2010-10-09, 25936 LoC):

   # SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE
   * Fetchmail now only accepts wildcard certificate common names and subject
     alternative names if they start with "*.". Previous versions would accept
     wildcards even if no period followed immediately.
   * Fetchmail now disallows wildcards in certificates to match domain literals
     (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23").
     The test is overly picky and triggers if the pattern (after skipping the
     initial wildcard "*") or domain consists solely of digits and dots, and thus
     matches more than needed.
   * Fetchmail now disallows wildcarding top-level domains.

   # CRITICAL BUG FIXES AND REGRESSION FIXES
   * Fetchmail 6.3.15, 6.3.16, and 6.3.17 would pick up libmd5 to obtain MD5*
     functions, as an effect of an undocumented Solaris MD5 fix.
     This caused all MD5-related functions to malfunction if, for instance,
     libmd5.so was installed on other operating systems as part of libwww on
     machines where long isn't 32-bits, i. e. usually on 64-bit computers.
     Fixes Gentoo Bug #319283, reported, including libwww hint, by Karl Hakimian.
     Side effect: fetchmail will now use -lmd on Solaris rather than -lmd5.
   * Fetchmail 6.3.17 warned about insecure SSL/TLS connections even if a matching
     --sslfingerprint was specified. This is an omission from an SSL usability
     change made in 6.3.17.
     Fixes Debian Bug#580796 reported by Roland Stigge.
   * Fetchmail will now apply timeouts to the authentication stage.
     This stage encompasses STARTTLS/STLS negotiation in IMAP/POP3.
     Reported missing by Thomas Jarosch.
   * Fetchmail now cancels GSSAPI authentication properly when encountering GSS
     errors, such as no or unsuitable credentials.
     It now sends an asterisk on a line by its own, as required in SASL.
       This fixes protocol synchronization issues that cause Authentication
     failures, often observed with kerberized MS Exchange servers.
     Fixes Debian Bug #568455 reported by Patrick Rynhart, and Alan Murrell, to the
     fetchmail-users list. Fix verified by Thomas Voigtmann and Patrick Rynhart.

   # BUG FIXES
   * Fetchmail will no longer print connection attempts and errors for one host
     in "silent" and "normal" logging modes, unless all connections fail. This
     should reduce irritation around refused-connection logging if services are
     only on an IPv4 socket if the host also supports IPv6. Often observed as
     connections refused to ::1/25 when the subsequent connection to 127.0.0.1/25
     then - silently - succeeds.  Fetchmail, unless in verbose mode, will collect
     all connect errors and only report them if all of them fail.
   * Fetchmail will not try GSSAPI authentication automatically, unless it has GSS
     credentials. However, if GSSAPI authentication is requested explicitly,
     fetchmail will always try it.
   * Fetchmail now parses response to "FETCH n:m RFC822.SIZE" and "FETCH n
     RFC822.HEADER" in a more flexible manner. (Sunil Shetye)
   * The manual page clearly states that --principal is for Kerberos 4 only, not
     for Kerberos 5 or GSSAPI. Found by Thomas Voigtmann.

   # CHANGES
   * When encountering incorrect headers, fetchmail will refer to the bad-header
     option in the manpage.
     Fixes BerliOS Bug #17272, change suggested by Björn Voigt.
   * Fetchmail now decodes and reports GSSAPI status codes upon errors.
   * Fetchmail now autoprobes NTLM also for POP3.
   * The Fetchmail FAQ has a new item #R15 on authentication failures.

   # INTERNAL CHANGES
   * The common NTLM authentication code was factored out from pop3.c and imap.c.

   # TRANSLATION UPDATES
     [zh_CN] Chinese/simplified (Ji Zheng-Yu)
     [cs]    Czech (Petr Pisar)
     [nl]    Dutch (Erwin Poeze)
     [fr]    French (Frédéric Marchal)
     [de]    German
     [it]    Italian (Vincenzo Campanella)
     [ja]    Japanese (Takeshi Hamasaki)
     [pl]    Polish (Jakub Bogusz)
     [sk]    Slovak (Marcel Telka)

4 files changed, 10 insertions, 36 deletions

diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
index 54f117be19e..9c232d46cea 100644
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.174 2011/03/20 01:38:35 shattered Exp $
+# $NetBSD: Makefile,v 1.174.2.1 2011/06/13 08:47:55 sbd Exp $
 
 # Note to updaters: mail/fetchmailconf reaches over here, make sure it builds.
-DISTNAME=	fetchmail-6.3.17
-PKGREVISION=	2
+DISTNAME=	fetchmail-6.3.20
 CATEGORIES=	mail
 MASTER_SITES=	http://download.berlios.de/fetchmail/
 EXTRACT_SUFX=	.tar.bz2
@@ -30,17 +29,13 @@ CFLAGS.Darwin+=		-DBIND_8_COMPAT -DHAVE_RESOLV_H
 
 .include "options.mk"
 
+TEST_TARGET=	check
+
 DOCDIR=		${PREFIX}/share/doc/fetchmail
 RCD_SCRIPTS=	fetchmail
 
 .include "../../devel/gettext-lib/buildlink3.mk"
 
-post-extract:
-	@${RM} -f ${WRKSRC}/intl/libintl.h
-.if ${OPSYS} == "NetBSD"
-	@${RM} -f ${WRKSRC}/md5.h
-.endif
-
 .if defined(REPLACE_KERBEROS_LIBS)
 pre-configure:
 	cd ${WRKSRC} && \
diff --git a/mail/fetchmail/distinfo b/mail/fetchmail/distinfo
index 35fbe8c1abb..b92986765f8 100644
--- a/mail/fetchmail/distinfo
+++ b/mail/fetchmail/distinfo
@@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.43 2010/05/09 11:45:28 tron Exp $
+$NetBSD: distinfo,v 1.43.8.1 2011/06/13 08:47:55 sbd Exp $
 
-SHA1 (fetchmail-6.3.17.tar.bz2) = d9ffc9a43f08f9ee9394a959834606eb41141d47
-RMD160 (fetchmail-6.3.17.tar.bz2) = a908da76b9d729dee7c6457b89a342be677bd690
-Size (fetchmail-6.3.17.tar.bz2) = 1642598 bytes
-SHA1 (patch-aa) = 9885a4f063b428d68c7bff06c1402571f0e21c82
+SHA1 (fetchmail-6.3.20.tar.bz2) = 797b5b0050763ad111c244aba606b2fcb4dfdaad
+RMD160 (fetchmail-6.3.20.tar.bz2) = 1262100c4a74a84e9dd969e4ab4902771752dbe5
+Size (fetchmail-6.3.20.tar.bz2) = 1723623 bytes
diff --git a/mail/fetchmail/patches/patch-aa b/mail/fetchmail/patches/patch-aa
deleted file mode 100644
index c8ff87430d9..00000000000
--- a/mail/fetchmail/patches/patch-aa
+++ /dev/null
@@ -1,20 +0,0 @@
-$NetBSD: patch-aa,v 1.8 2010/05/09 11:45:28 tron Exp $
-
-Don't complain about insecure connection if a SSL fingerprint is provided.
-Patch taken from here:
-
-http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg780308.html
-
---- socket.c.orig	2010-04-30 00:29:05.000000000 +0100
-+++ socket.c	2010-05-09 12:40:58.000000000 +0100
-@@ -1009,8 +1009,8 @@
- 		}
- 	}
- 
--	if (!certck && (SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK
--|| !_verify_ok)) {
-+	if (!certck && !fingerprint &&
-+		(SSL_get_verify_result(_ssl_context[sock]) != X509_V_OK || !_verify_ok)) {
- 		report(stderr, GT_("Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)\n"));
- 	}
- 
diff --git a/mail/fetchmailconf/Makefile b/mail/fetchmailconf/Makefile
index 13e327ab56f..9c683b2cff6 100644
--- a/mail/fetchmailconf/Makefile
+++ b/mail/fetchmailconf/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.79 2010/05/09 11:54:21 tron Exp $
+# $NetBSD: Makefile,v 1.79.8.1 2011/06/13 08:47:56 sbd Exp $
 
-DISTNAME=	fetchmail-6.3.17
+DISTNAME=	fetchmail-6.3.20
 PKGNAME=	${DISTNAME:S/fetchmail/fetchmailconf/}
 CATEGORIES=	mail
 MASTER_SITES=	http://download.berlios.de/fetchmail/