fetchmail: lost patch: APOP and default fetchsizelimit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fetchmail (Debian) |
Fix Released
|
Unknown
|
|||
fetchmail (Ubuntu) |
Invalid
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #323027 http://
In Debian Bug tracker #323027, Kai Steverding (kasi) wrote : Please Update the severity | #1 |
In Debian Bug tracker #323027, Kai Steverding (kasi) wrote : Bug 323027 | #2 |
severity 323027 important
In Debian Bug tracker #323027, Nico Golde (nion-gmx) wrote : Re: Bug#327893: fetchmail: Fetchmail 6.2.5-12sarge1 hast broken APOP. Query status=4 (PROTOCOL) | #3 |
merge 323027 327893
* Claudio André Till Clemens <email address hidden> [2005-09-12 23:08]:
> Package: fetchmail
> Version: 6.2.5-12sarge1
> Severity: important
>
> I'm having now problems with the security version of fetchmail,
> 6.2.5-12sarge1. The previous version (6.2.5-12) was working perfectly.
> The problem seems to come only with APOP as Protocol, and only if there
> is more than one messages in the pool. When I change to POP3 it works
> again, but that is not an option. fetchmail claims it is allways a
> protocol error.
Yes it seems like the new version made by the security team
lost its support for apop :(
> Here the output of fetchmail -vvvvv:
[...]
> I'll try then the version for sid (6.3.5-18). Maybe there is no problem
> with unstable :).
Yes that would be nice, since I am not using apop. Please
report if it works so if it does we can provide a fixed
package.
Regards Nico
--
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
VIM has two modes - the one in which it beeps
and the one in which it doesn't -- encrypted mail preferred
In Debian Bug tracker #323027, Matthias Andree (matthias-andree) wrote : | #4 |
tags 323027 + grave
In Debian Bug tracker #323027, Matthias Andree (matthias-andree) wrote : | #5 |
severity 323027 grave
Debian Bug Importer (debzilla) wrote : | #6 |
Automatically imported from Debian bug report #323027 http://
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Sun, 14 Aug 2005 10:39:04 +0200
From: Arnaud Giersch <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: fetchmail: lost patch: APOP and default fetchsizelimit
Package: fetchmail
Version: 6.2.5-12sarge1
Severity: normal
Hello,
I use APOP authentication to retrieve my mails with fetchmail. Since
last security update, it doesn't work any more when there are several
mails to fetch:
fetchmail: 4 messages for XXX at XXX (3180 octets).
fetchmail: cannot get a range of message sizes (1-4).
fetchmail: client/server protocol error while fetching from XXX
fetchmail: Query status=4 (PROTOCOL)
A workaround is to add "fetchsizelimit 1" in the procmailrc
configuration file.
A quick diff between fetchmail-6.2.5-12 and fetchmail-
shows that the following patch was lost between the two releases:
diff -Naur fetchmail-
--- fetchmail-
+++ fetchmail-
@@ -426,11 +426,8 @@
/* for POP3, we can get the size of one mail only! Unfortunately, this
* protocol specific test cannot be done elsewhere as the protocol
* could be "auto". */
- switch (ctl->server.
- {
- case P_POP3: case P_APOP: case P_RPOP:
+ if (ctl->server.
- }
/* Time to allocate memory to store the sizes */
Regards,
Arnaud
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=
Versions of packages fetchmail depends on:
ii adduser 3.63 Add and remove users and groups
ii base-files 3.1.2 Debian base system miscellaneous f
ii debconf 1.4.30.13 Debian configuration management sy
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Wed, 31 Aug 2005 16:07:23 +0200
From: Kai Steverding <email address hidden>
To: <email address hidden>
Subject: Please Update the severity
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The fetchmail paket is almost unusable in APOP mode without setting
"fetchlimit 1". If it isn't so easy to change the .fetchmailrc for some
reason there is no way to get your mails via APOP.
Please set the severity to important or even grave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFDFbmbaoK
Sy6gP/ZhdhRT7iE
=dq1+
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Wed, 31 Aug 2005 16:20:00 +0200
From: Kai Steverding <email address hidden>
To: <email address hidden>
Subject: Bug 323027
severity 323027 important
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Mon, 12 Sep 2005 23:30:58 +0200
From: Nico Golde <email address hidden>
To: Claudio =?iso-8859-
<email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#327893: fetchmail: Fetchmail 6.2.5-12sarge1 hast broken APOP. Query status=4
(PROTOCOL)
--M/SuVGWktc5uNpra
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
merge 323027 327893
* Claudio Andr=E9 Till Clemens <email address hidden> [2005-09-12 23:08]:
> Package: fetchmail
> Version: 6.2.5-12sarge1
> Severity: important
>=20
> I'm having now problems with the security version of fetchmail,
> 6.2.5-12sarge1. The previous version (6.2.5-12) was working perfectly.
> The problem seems to come only with APOP as Protocol, and only if there
> is more than one messages in the pool. When I change to POP3 it works
> again, but that is not an option. fetchmail claims it is allways a
> protocol error.
Yes it seems like the new version made by the security team=20
lost its support for apop :(
> Here the output of fetchmail -vvvvv:
[...]=20
> I'll try then the version for sid (6.3.5-18). Maybe there is no problem
> with unstable :).
Yes that would be nice, since I am not using apop. Please=20
report if it works so if it does we can provide a fixed=20
package.
Regards Nico
--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
VIM has two modes - the one in which it beeps=20
and the one in which it doesn't -- encrypted mail preferred
--M/SuVGWktc5uNpra
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDJfOSHYf
v0g3GSIU3RD7f7n
=fSIx
-----END PGP SIGNATURE-----
--M/SuVGWktc5uN
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Sat, 29 Oct 2005 15:31:20 +0200
From: <email address hidden> (Matthias Andree)
To: <email address hidden>
tags 323027 + grave
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sat, 29 Oct 2005 15:54:40 +0200
From: <email address hidden> (Matthias Andree)
To: <email address hidden>
severity 323027 grave
Debian Bug Importer (debzilla) wrote : | #13 |
*** Bug 24759 has been marked as a duplicate of this bug. ***
In Debian Bug tracker #323027, Nico Golde (nico-ngolde) wrote : merging #327893 #323027 | #14 |
merge 327893 323027
# Hi,
# the APOP problem is pretty much the same so I merge the
# bugs.
--
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Sat, 5 Nov 2005 13:10:13 +0100
From: Nico Golde <email address hidden>
To: <email address hidden>
Subject: merging #327893 #323027
--dDRMvlgZJXvWKvBx
Content-Type: text/plain; charset=us-ascii
Content-
Content-
merge 327893 323027
# Hi,
# the APOP problem is pretty much the same so I merge the=20
# bugs.
--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
--dDRMvlgZJXvWKvBx
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDbKEkHYf
F94CevuGykWb/
=m4wl
-----END PGP SIGNATURE-----
--dDRMvlgZJXvWK
In Debian Bug tracker #323027, Loïc Minier (lool) wrote : IMPORTANT: fetchmail regression in 6.2.5-12sarge1 | #16 |
Hi,
While preparing a fix for CVE-2005-3088 (#336096), the Debian bugs
#323027 and #327893 were brought to my attention. It seems to me other
quality fixes were included in the 6.2.5-12sarge1 version, basically
including parts of the upstream "6.2.5.2" stable release and causing
new bugs to appear; I believe this is far too much changes for a
security upload.
I attach "fetchmail_
6.2.5-12 and 6.2.5-12sarge1, for you to recheck you want to include it
completely. My understanding is that the patch in
"fetchmail_
Since I'm preparing sarge2, I propose I revert the changes of sarge1,
except for "fetchmail_
the patch I've already sent you. I can also prepare a stable upload
based on sarge2 with more fixes (possibly all) from the stable upstream
release 6.2.5.4.
Please let me know rapidly whether this suits you.
Cheers,
--
Loïc Minier <email address hidden>
"What do we want? BRAINS! When do we want it? BRAINS!"
In Debian Bug tracker #323027, Nico Golde (nico-ngolde) wrote : Re: Bug#323027: IMPORTANT: fetchmail regression in 6.2.5-12sarge1 | #17 |
Hi,
* Loic Minier <email address hidden> [2005-11-14 20:56]:
> While preparing a fix for CVE-2005-3088 (#336096), the Debian bugs
> #323027 and #327893 were brought to my attention. It seems to me other
> quality fixes were included in the 6.2.5-12sarge1 version, basically
> including parts of the upstream "6.2.5.2" stable release and causing
> new bugs to appear; I believe this is far too much changes for a
> security upload.
What do you think exactly? The changes from 6.2.5.2 fixed
CVE-2005-2335, Steve Kemp prepared the fixed package.
But you are right it seems that some things are broken, for
example the apop support.
> I attach "fetchmail_
> 6.2.5-12 and 6.2.5-12sarge1, for you to recheck you want to include it
> completely. My understanding is that the patch in
> "fetchmail_
yes
> Since I'm preparing sarge2, I propose I revert the changes of sarge1,
> except for "fetchmail_
> the patch I've already sent you. I can also prepare a stable upload
> based on sarge2 with more fixes (possibly all) from the stable upstream
> release 6.2.5.4.
>
> Please let me know rapidly whether this suits you.
[...]
Ok with me.
Regards Nico
--
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Mon, 14 Nov 2005 21:06:47 +0100
From: Nico Golde <email address hidden>
To: Loic Minier <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#323027: IMPORTANT: fetchmail regression in 6.2.5-12sarge1
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi,
* Loic Minier <email address hidden> [2005-11-14 20:56]:
> While preparing a fix for CVE-2005-3088 (#336096), the Debian bugs
> #323027 and #327893 were brought to my attention. It seems to me other
> quality fixes were included in the 6.2.5-12sarge1 version, basically
> including parts of the upstream "6.2.5.2" stable release and causing
> new bugs to appear; I believe this is far too much changes for a
> security upload.
What do you think exactly? The changes from 6.2.5.2 fixed=20
CVE-2005-2335, Steve Kemp prepared the fixed package.
But you are right it seems that some things are broken, for=20
example the apop support.
> I attach "fetchmail_
> 6.2.5-12 and 6.2.5-12sarge1, for you to recheck you want to include it
> completely. My understanding is that the patch in
> "fetchmail_
yes
> Since I'm preparing sarge2, I propose I revert the changes of sarge1,
> except for "fetchmail_
> the patch I've already sent you. I can also prepare a stable upload
> based on sarge2 with more fixes (possibly all) from the stable upstream
> release 6.2.5.4.
>=20
> Please let me know rapidly whether this suits you.
[...]=20
Ok with me.
Regards Nico
--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
--IJpNTDwzlM2Ie8A6
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDeO5XHYf
YWJ9VejYWl9MkDw
=FCgx
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie
In Debian Bug tracker #323027, Loïc Minier (lool) wrote : | #19 |
On Mon, Nov 14, 2005, Nico Golde wrote:
> What do you think exactly? The changes from 6.2.5.2 fixed
> CVE-2005-2335, Steve Kemp prepared the fixed package.
> But you are right it seems that some things are broken, for
> example the apop support.
I think the changes in 6.2.5.2 included a fix for CVE-2005-2335, and
only this fix should have been uploaded.
Now that sarge2 is already on the tracks, I propose to prepare a sarge3
with everything from sarge1 reverted and fetchmail_
applied instead (along with patch.CVE-
Security team, please ack the proposed changes.
Alternatively, we could live with the regression and I could prepare a
stable upload with all fixes from 6.2.5.4.
Bye,
--
Loïc Minier <email address hidden>
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Tue, 15 Nov 2005 09:17:26 +0100
From: Loic Minier <email address hidden>
To: Nico Golde <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#323027: IMPORTANT: fetchmail regression in 6.2.5-12sarge1
On Mon, Nov 14, 2005, Nico Golde wrote:
> What do you think exactly? The changes from 6.2.5.2 fixed=20
> CVE-2005-2335, Steve Kemp prepared the fixed package.
> But you are right it seems that some things are broken, for=20
> example the apop support.
I think the changes in 6.2.5.2 included a fix for CVE-2005-2335, and
only this fix should have been uploaded.
Now that sarge2 is already on the tracks, I propose to prepare a sarge3
with everything from sarge1 reverted and fetchmail_
applied instead (along with patch.CVE-
Security team, please ack the proposed changes.
Alternatively, we could live with the regression and I could prepare a
stable upload with all fixes from 6.2.5.4.
Bye,
--=20
Lo=EFc Minier <email address hidden>
In Debian Bug tracker #323027, Nico Golde (nico-ngolde) wrote : APOP support | #21 |
Hi,
can you check if it the APOP support is working with the
latest version in sarge(sarge3)?
Regards Nico
--
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
Martin Pitt (pitti) wrote : | #22 |
We only applied the minimal patch, so this does not affect us.
Debian Bug Importer (debzilla) wrote : | #23 |
Message-ID: <email address hidden>
Date: Mon, 21 Nov 2005 08:56:58 +0100
From: Nico Golde <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: APOP support
--bp/iNruPH9dso1Pn
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi,
can you check if it the APOP support is working with the=20
latest version in sarge(sarge3)?
Regards Nico
--=20
Nico Golde - JAB: <email address hidden> | GPG: 0x73647CFF
http://
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
--bp/iNruPH9dso1Pn
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDgX3KHYf
B7NDapOWlwFj7Ve
=JfVZ
-----END PGP SIGNATURE-----
--bp/iNruPH9dso
In Debian Bug tracker #323027, Hector Garcia (hector-debian) wrote : | #24 |
merge 323027 327893
thanks
In Debian Bug tracker #323027, Hector Garcia (hector-debian) wrote : Closing fixed bug | #25 |
Hi,
This bug was fixed on version 6.2.5-12sarge3 uploaded by the security
team.
Thanks for reporting bugs,
Héctor
Debian Bug Importer (debzilla) wrote : | #26 |
Message-Id: <email address hidden>
Date: Mon, 09 Jan 2006 11:11:49 +0100
From: =?ISO-8859-
To: <email address hidden>
Subject:
--=-98I7cJjDy2f
Content-Type: text/plain
Content-
merge 323027 327893
thanks
--=-98I7cJjDy2f
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBDwjblMws
3Dh+mlfWAKAI+
=++8S
-----END PGP SIGNATURE-----
--=-98I7cJjDy2f
Debian Bug Importer (debzilla) wrote : | #27 |
Message-Id: <email address hidden>
Date: Mon, 09 Jan 2006 11:43:49 +0100
From: =?ISO-8859-
To: <email address hidden>
Subject: Closing fixed bug
--=-8tQ07ymOgHt
Content-Type: text/plain; charset=UTF-8
Content-
Hi,
This bug was fixed on version 6.2.5-12sarge3 uploaded by the security
team.
Thanks for reporting bugs,
H=C3=A9ctor
--=-8tQ07ymOgHt
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBDwj5lMws
TjTGBmQhy1JZ9kC
=O47k
-----END PGP SIGNATURE-----
--=-8tQ07ymOgHt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The fetchmail paket is almost unusable in APOP mode without setting
"fetchlimit 1". If it isn't so easy to change the .fetchmailrc for some
reason there is no way to get your mails via APOP.
Please set the severity to important or even grave enigmail. mozdev. org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://
iD8DBQFDFbmbaoK L0dhmIeERAhKiAJ 9vDmohA/ bb/3+KLYp1lD149 XEdcwCeOV/ s vF4y2fNo=
Sy6gP/ZhdhRT7iE
=dq1+
-----END PGP SIGNATURE-----