Release Notes: A security issue where a misinterpreted server response could allow DoS and data theft in NTLM authentication was fixed. This issue was reported as CVE-2012-3482. The false disabling of a countermeasure against plaintext attacks in block ciphers was fixed. Various other minor fixes were made.
Release Notes: A denial of service due to a NULL pointer dereference, reported as CVE-2007-4565, was fixed. A denial of service in extra verbose (-v -v) mode, reported as CVE-2008-2711, was fixed. A severe memory leak on failed SSL connection attempts was stuffed. Several other bugs were fixed. Documentation was improved. Translations were updated.
Release Notes: This release fixes a password disclosure vulnerability (CVE-2006-5867) and a crash in certain situations (CVE-2006-5974). It re-reads /etc/resolv.conf at the beginning of a poll cycle, solving DNS issues on computers in changing network environments. The --logfile and --user options had been broken in 6.3.5, and have been repaired. Kerberos/GSSAPI error messages have been improved when support for these systems was not compiled in. Assorted minor fixes have been made.
Release Notes: This release fixes CAN-2005-2335 (a remote code injection vulnerability through a malicious POP3 server's UIDL replies). RFC-821/2821 conformance was fixed by not emitting a blank between MAIL FROM: and the address, which caused mail loss on some sites. The POP2 driver now checks for authentication failures. The APOP/RPOP drivers no longer attempt to get SIZE for a message range. Fetchmail has been handed to new maintainers and has changed its home site.
Release Notes: A remote root vulnerability in POP3/UIDL handling was fixed (CAN-2005-2335, requisite compromised/malicious POP3 server). Tracepolls now works. A socket leak with SSL failures was plugged. The Received: header no longer contains garbage with smtphost set. The PID file is now FHS compliant. --silent now also works for ODMR. Warning emails now have a From: header. IMAP can use passwords of arbitrary length from the rc file. Oversized messages are now deleted with --flush unless in daemon mode. lock_release was renamed to fix a Darwin namespace collision. The manual page was corrected and updated.
Release Notes: An an important security fix was made for a potential remote vulnerability in multidrop mode. The French translation was updated.