rpms/fetchmail
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fetchmail-6.4.24-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:07:54 -04:00 committed by Stepan Oksanichenko
parent ad370f3f4b
commit d233ea02cb
8 changed files with 24 additions and 891 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.fetchmail.metadata
View File

@ -1 +1 @@
de8dbe62a8edfa232ee4278257a1fe67aa1c797a SOURCES/fetchmail-6.3.26.tar.xz
e26d63637e1e016f93a1e75fa0131be63b274a79 SOURCES/fetchmail-6.4.24.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/fetchmail-6.3.26.tar.xz
SOURCES/fetchmail-6.4.24.tar.xz

36
SOURCES/fetchmail-6.3.24-sslv3-in-ssllib-check.patch
View File

@ -1,36 +0,0 @@
diff -up fetchmail-6.3.24/config.h.in.orig fetchmail-6.3.24/config.h.in
--- fetchmail-6.3.24/config.h.in.orig 2017-06-13 10:14:37.783983820 +0200
+++ fetchmail-6.3.24/config.h.in 2017-06-13 10:15:38.532996937 +0200
@@ -53,6 +53,10 @@
if you don't. */
#undef HAVE_DECL_SSLV2_CLIENT_METHOD
+/* Define to 1 if you have the declaration of `SSLv3_client_method', and to 0
+ if you don't. */
+#undef HAVE_DECL_SSLV3_CLIENT_METHOD
+
/* Define to 1 if you have the declaration of `strerror', and to 0 if you
don't. */
#undef HAVE_DECL_STRERROR
diff -up fetchmail-6.3.24/configure.orig fetchmail-6.3.24/configure
--- fetchmail-6.3.24/configure.orig 2017-06-13 10:23:06.824111065 +0200
+++ fetchmail-6.3.24/configure 2017-06-13 10:23:43.308129006 +0200
@@ -10133,6 +10133,18 @@ cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_SSLV2_CLIENT_METHOD $ac_have_decl
_ACEOF
+ ac_fn_c_check_decl "$LINENO" "SSLv3_client_method" "ac_cv_have_decl_SSLv3_client_method" "#include <openssl/ssl.h>
+"
+if test "x$ac_cv_have_decl_SSLv3_client_method" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SSLV3_CLIENT_METHOD $ac_have_decl
+_ACEOF
+
;;
esac

94
SOURCES/fetchmail-6.3.26-options-usage-manpage.patch
View File

@ -1,94 +0,0 @@
diff -up fetchmail-6.3.26/fetchmail.man.orig fetchmail-6.3.26/fetchmail.man
--- fetchmail-6.3.26/fetchmail.man.orig 2016-04-27 13:18:17.911459399 +0200
+++ fetchmail-6.3.26/fetchmail.man 2016-04-27 13:29:35.300958501 +0200
@@ -164,6 +164,9 @@ Some special options are not covered her
in sections on AUTHENTICATION and DAEMON MODE which follow.
.SS General Options
.TP
+.B \-? | \-\-help
+Displays option help.
+.TP
.B \-V | \-\-version
Displays the version information for your copy of \fBfetchmail\fP. No mail
fetch is performed. Instead, for each server specified, all the option
@@ -1061,7 +1064,7 @@ sent to 'username\&@\&userhost.userdom.d
\fIDelivered\-To:\fR line of the form:
.IP
Delivered\-To: mbox\-userstr\-username\&@\&userhost.example.com
-.PP
+.IP
The ISP can make the 'mbox\-userstr\-' prefix anything they choose
but a string matching the user host name is likely.
By using the option 'envelope Delivered\-To:' you can make fetchmail reliably
@@ -1075,6 +1078,10 @@ specified, and dump a configuration repo
configuration report is a data structure assignment in the language
Python. This option is meant to be used with an interactive
\fI~/.fetchmailrc\fP editor like \fBfetchmailconf\fP, written in Python.
+.TP
+.B \-y | \-\-yydebug
+Enables parser debugging, this option is meant to be used by developers
+only.
.SS Removed Options
.TP
@@ -1360,6 +1367,8 @@ authentication or multiple timeouts.
.SS Terminating the background daemon
.PP
The option
+.B \-q
+or
.B \-\-quit
will kill a running daemon process instead of waking it up (if there
is no such process, \fBfetchmail\fP will notify you).
@@ -1916,7 +1925,7 @@ T}
mda \-m \& T{
Specify MDA for local delivery
T}
-bsmtp \-o \& T{
+bsmtp \& \& T{
Specify BSMTP batch file to append to
T}
preconnect \& \& T{
diff -up fetchmail-6.3.26/options.c.orig fetchmail-6.3.26/options.c
--- fetchmail-6.3.26/options.c.orig 2016-04-27 13:00:59.001360077 +0200
+++ fetchmail-6.3.26/options.c 2016-04-27 13:17:48.325350247 +0200
@@ -58,9 +58,9 @@ enum {
LA_BADHEADER
};
-/* options still left: CgGhHjJoORTWxXYz */
+/* options still left: ACgGhHjJoORTWxXYz */
static const char *shortoptions =
- "?Vcsvd:NqL:f:i:p:UP:A:t:E:Q:u:akKFnl:r:S:Z:b:B:e:m:I:M:yw:D:";
+ "?Vcsvd:NqL:f:i:p:UP:t:E:Q:u:akKFnl:r:S:Z:b:B:e:m:I:M:yw:D:";
static const struct option longoptions[] = {
/* this can be const because all flag fields are 0 and will never get set */
@@ -630,6 +630,7 @@ int parsecmdline (int argc /** argument
P(GT_(" -q, --quit kill daemon process\n"));
P(GT_(" -L, --logfile specify logfile name\n"));
P(GT_(" --syslog use syslog(3) for most messages when running as a daemon\n"));
+ P(GT_(" --nosyslog turns off use of syslog(3)\n"));
P(GT_(" --invisible don't write Received & enable host spoofing\n"));
P(GT_(" -f, --fetchmailrc specify alternate run control file\n"));
P(GT_(" -i, --idfile specify alternate UIDs file\n"));
@@ -658,8 +659,9 @@ int parsecmdline (int argc /** argument
P(GT_(" --bad-header {reject|accept}\n"
" specify policy for handling messages with bad headers\n"));
- P(GT_(" -p, --protocol specify retrieval protocol (see man page)\n"));
+ P(GT_(" -p, --proto[col] specify retrieval protocol (see man page)\n"));
P(GT_(" -U, --uidl force the use of UIDLs (pop3 only)\n"));
+ P(GT_(" --idle tells the IMAP server to send notice of new messages\n"));
P(GT_(" --port TCP port to connect to (obsolete, use --service)\n"));
P(GT_(" -P, --service TCP service to connect to (can be numeric TCP port)\n"));
P(GT_(" --auth authentication type (password/kerberos/ssh/otp)\n"));
@@ -669,7 +671,7 @@ int parsecmdline (int argc /** argument
P(GT_(" --principal mail service principal\n"));
P(GT_(" --tracepolls add poll-tracing information to Received header\n"));
- P(GT_(" -u, --username specify users's login on server\n"));
+ P(GT_(" -u, --user[name] specify users's login on server\n"));
P(GT_(" -a, --[fetch]all retrieve old and new messages\n"));
P(GT_(" -K, --nokeep delete new messages after retrieval\n"));
P(GT_(" -k, --keep save new messages after retrieval\n"));

742
SOURCES/fetchmail-6.3.26-ssl-backport.patch
View File

@ -1,742 +0,0 @@
diff -up fetchmail-6.3.26/configure.ac.orig fetchmail-6.3.26/configure.ac
--- fetchmail-6.3.26/configure.ac.orig 2013-04-23 22:51:10.000000000 +0200
+++ fetchmail-6.3.26/configure.ac 2016-05-02 14:14:34.908139601 +0200
@@ -803,6 +803,7 @@ fi
case "$LIBS" in *-lssl*)
AC_CHECK_DECLS([SSLv2_client_method],,,[#include <openssl/ssl.h>])
+ AC_CHECK_DECLS([SSLv3_client_method],,,[#include <openssl/ssl.h>])
;;
esac
diff -up fetchmail-6.3.26/fetchmail.c.orig fetchmail-6.3.26/fetchmail.c
--- fetchmail-6.3.26/fetchmail.c.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/fetchmail.c 2016-05-02 14:14:34.908139601 +0200
@@ -263,6 +263,12 @@ int main(int argc, char **argv)
#ifdef SSL_ENABLE
"+SSL"
#endif
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 == 0
+ "-SSLv2"
+#endif
+#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 == 0
+ "-SSLv3"
+#endif
#ifdef OPIE_ENABLE
"+OPIE"
#endif /* OPIE_ENABLE */
diff -up fetchmail-6.3.26/fetchmail.h.orig fetchmail-6.3.26/fetchmail.h
--- fetchmail-6.3.26/fetchmail.h.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/fetchmail.h 2016-05-02 14:14:34.905139590 +0200
@@ -771,9 +771,9 @@ int servport(const char *service);
int fm_getaddrinfo(const char *node, const char *serv, const struct addrinfo *hints, struct addrinfo **res);
void fm_freeaddrinfo(struct addrinfo *ai);
-/* prototypes from tls.c */
-int maybe_tls(struct query *ctl);
-int must_tls(struct query *ctl);
+/* prototypes from starttls.c */
+int maybe_starttls(struct query *ctl);
+int must_starttls(struct query *ctl);
/* prototype from rfc822valid.c */
int rfc822_valid_msgid(const unsigned char *);
diff -up fetchmail-6.3.26/fetchmail.man.orig fetchmail-6.3.26/fetchmail.man
--- fetchmail-6.3.26/fetchmail.man.orig 2013-04-23 22:51:17.000000000 +0200
+++ fetchmail-6.3.26/fetchmail.man 2016-05-02 14:14:34.906139594 +0200
@@ -412,23 +412,22 @@ from. The folder information is written
.B \-\-ssl
(Keyword: ssl)
.br
-Causes the connection to the mail server to be encrypted
-via SSL. Connect to the server using the specified base protocol over a
-connection secured by SSL. This option defeats opportunistic starttls
-negotiation. It is highly recommended to use \-\-sslproto 'SSL3'
-\-\-sslcertck to validate the certificates presented by the server and
-defeat the obsolete SSLv2 negotiation. More information is available in
-the \fIREADME.SSL\fP file that ships with fetchmail.
-.IP
-Note that fetchmail may still try to negotiate SSL through starttls even
-if this option is omitted. You can use the \-\-sslproto option to defeat
-this behavior or tell fetchmail to negotiate a particular SSL protocol.
+Causes the connection to the mail server to be encrypted via SSL, by
+negotiating SSL directly after connecting (SSL-wrapped mode). It is
+highly recommended to use \-\-sslcertck to validate the certificates
+presented by the server. Please see the description of \-\-sslproto
+below! More information is available in the \fIREADME.SSL\fP file that
+ships with fetchmail.
+.IP
+Note that even if this option is omitted, fetchmail may still negotiate
+SSL in-band for POP3 or IMAP, through the STLS or STARTTLS feature. You
+can use the \-\-sslproto option to modify that behavior.
.IP
If no port is specified, the connection is attempted to the well known
port of the SSL version of the base protocol. This is generally a
different port than the port used by the base protocol. For IMAP, this
is port 143 for the clear protocol and port 993 for the SSL secured
-protocol, for POP3, it is port 110 for the clear text and port 995 for
+protocol; for POP3, it is port 110 for the clear text and port 995 for
the encrypted variant.
.IP
If your system lacks the corresponding entries from /etc/services, see
@@ -470,39 +469,77 @@ cause some complications in daemon mode.
.IP
Also see \-\-sslcert above.
.TP
-.B \-\-sslproto <name>
+.B \-\-sslproto <value>
(Keyword: sslproto)
.br
-Forces an SSL/TLS protocol. Possible values are \fB''\fP,
-\&'\fBSSL2\fP' (not supported on all systems),
-\&'\fBSSL23\fP', (use of these two values is discouraged
-and should only be used as a last resort) \&'\fBSSL3\fP', and
-\&'\fBTLS1\fP'. The default behaviour if this option is unset is: for
-connections without \-\-ssl, use \&'\fBTLS1\fP' so that fetchmail will
-opportunistically try STARTTLS negotiation with TLS1. You can configure
-this option explicitly if the default handshake (TLS1 if \-\-ssl is not
-used) does not work for your server.
-.IP
-Use this option with '\fBTLS1\fP' value to enforce a STARTTLS
-connection. In this mode, it is highly recommended to also use
-\-\-sslcertck (see below). Note that this will then cause fetchmail
-v6.3.19 to force STARTTLS negotiation even if it is not advertised by
-the server.
-.IP
-To defeat opportunistic TLSv1 negotiation when the server advertises
-STARTTLS or STLS, and use a cleartext connection use \fB''\fP. This
-option, even if the argument is the empty string, will also suppress the
-diagnostic 'SERVER: opportunistic upgrade to TLS.' message in verbose
-mode. The default is to try appropriate protocols depending on context.
+This option has a dual use, out of historic fetchmail behaviour. It
+controls both the SSL/TLS protocol version and, if \-\-ssl is not
+specified, the STARTTLS behaviour (upgrading the protocol to an SSL or
+TLS connection in-band). Some other options may however make TLS
+mandatory.
+.PP
+Only if this option and \-\-ssl are both missing for a poll, there will
+be opportunistic TLS for POP3 and IMAP, where fetchmail will attempt to
+upgrade to TLSv1 or newer.
+.PP
+Recognized values for \-\-sslproto are given below. You should normally
+chose one of the auto-negotiating options, i. e. '\fBauto\fP' or one of
+the options ending in a plus (\fB+\fP) character. Note that depending
+on OpenSSL library version and configuration, some options cause
+run-time errors because the requested SSL or TLS versions are not
+supported by the particular installed OpenSSL library.
+.RS
+.IP "\fB''\fP, the empty string"
+Disable STARTTLS. If \-\-ssl is given for the same server, log an error
+and pretend that '\fBauto\fP' had been used instead.
+.IP '\fBauto\fP'
+(default). Require TLS. Auto-negotiate TLSv1 or newer, disable SSLv3 downgrade.
+(previous releases of fetchmail have auto-negotiated all protocols that
+their OpenSSL library supported, including the broken SSLv3).
+.IP "\&'\fBSSL23\fP'
+see '\fBauto\fP'.
+.IP \&'\fBSSL2\fP'
+Require SSLv2 exactly. SSLv2 is broken, not supported on all systems, avoid it
+if possible. This will make fetchmail negotiate SSLv2 only, and is the
+only way to have fetchmail permit SSLv2.
+.IP \&'\fBSSL3\fP'
+Require SSLv3 exactly. SSLv3 is broken, not supported on all systems, avoid it
+if possible. This will make fetchmail negotiate SSLv3 only, and is the
+only way besides '\fBSSL3+\fP' to have fetchmail permit SSLv3.
+.IP \&'\fBSSL3+\fP'
+same as '\fBauto\fP', but permit SSLv3 as well. This is the only way
+besides '\fBSSL3\fP' to have fetchmail permit SSLv3.
+.IP \&'\fBTLS1\fP'
+Require TLSv1. This does not negotiate TLSv1.1 or newer, and is
+discouraged. Replace by TLS1+ unless the latter chokes your server.
+.IP \&'\fBTLS1+\fP'
+See '\fBauto\fP'.
+.IP \&'\fBTLS1.1\fP'
+Require TLS v1.1 exactly.
+.IP \&'\fBTLS1.1+\fP'
+Require TLS. Auto-negotiate TLSv1.1 or newer.
+.IP \&'\fBTLS1.2\fP'
+Require TLS v1.2 exactly.
+.IP '\fBTLS1.2+\fP'
+Require TLS. Auto-negotiate TLSv1.2 or newer.
+.IP "Unrecognized parameters"
+are treated the same as '\fBauto\fP'.
+.RE
+.IP
+NOTE: you should hardly ever need to use anything other than '' (to
+force an unencrypted connection) or 'auto' (to enforce TLS).
.TP
.B \-\-sslcertck
(Keyword: sslcertck)
.br
-Causes fetchmail to strictly check the server certificate against a set of
-local trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
-options). If the server certificate cannot be obtained or is not signed by one
-of the trusted ones (directly or indirectly), the SSL connection will fail,
-regardless of the \fBsslfingerprint\fP option.
+Causes fetchmail to require that SSL/TLS be used and disconnect if it
+can not successfully negotiate SSL or TLS, or if it cannot successfully
+verify and validate the certificate and follow it to a trust anchor (or
+trusted root certificate). The trust anchors are given as a set of local
+trusted certificates (see the \fBsslcertfile\fP and \fBsslcertpath\fP
+options). If the server certificate cannot be obtained or is not signed
+by one of the trusted ones (directly or indirectly), fetchmail will
+disconnect, regardless of the \fBsslfingerprint\fP option.
.IP
Note that CRL (certificate revocation lists) are only supported in
OpenSSL 0.9.7 and newer! Your system clock should also be reasonably
@@ -1202,31 +1239,33 @@ capability response. Specify a user opti
username and the part to the right as the NTLM domain.
.SS Secure Socket Layers (SSL) and Transport Layer Security (TLS)
+.PP All retrieval protocols can use SSL or TLS wrapping for the
+transport. Additionally, POP3 and IMAP retrival can also negotiate
+SSL/TLS by means of STARTTLS (or STLS).
.PP
Note that fetchmail currently uses the OpenSSL library, which is
severely underdocumented, so failures may occur just because the
programmers are not aware of OpenSSL's requirement of the day.
For instance, since v6.3.16, fetchmail calls
OpenSSL_add_all_algorithms(), which is necessary to support certificates
-using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in the
-documentation and not at all obvious. Please do not hesitate to report
-subtle SSL failures.
-.PP
-You can access SSL encrypted services by specifying the \-\-ssl option.
-You can also do this using the "ssl" user option in the .fetchmailrc
-file. With SSL encryption enabled, queries are initiated over a
-connection after negotiating an SSL session, and the connection fails if
-SSL cannot be negotiated. Some services, such as POP3 and IMAP, have
+using SHA256 on OpenSSL 0.9.8 -- this information is deeply hidden in
+the documentation and not at all obvious. Please do not hesitate to
+report subtle SSL failures.
+.PP
+You can access SSL encrypted services by specifying the options starting
+with \-\-ssl, such as \-\-ssl, \-\-sslproto, \-\-sslcertck, and others.
+You can also do this using the corresponding user options in the .fetchmailrc
+file. Some services, such as POP3 and IMAP, have
different well known ports defined for the SSL encrypted services. The
encrypted ports will be selected automatically when SSL is enabled and
-no explicit port is specified. The \-\-sslproto 'SSL3' option should be
-used to select the SSLv3 protocol (default if unset: v2 or v3). Also,
-the \-\-sslcertck command line or sslcertck run control file option
-should be used to force strict certificate checking - see below.
+no explicit port is specified. Also, the \-\-sslcertck command line or
+sslcertck run control file option should be used to force strict
+certificate checking - see below.
.PP
If SSL is not configured, fetchmail will usually opportunistically try to use
-STARTTLS. STARTTLS can be enforced by using \-\-sslproto "TLS1". TLS
-connections use the same port as the unencrypted version of the
+STARTTLS. STARTTLS can be enforced by using \-\-sslproto\~auto and
+defeated by using \-\-sslproto\~''.
+TLS connections use the same port as the unencrypted version of the
protocol and negotiate TLS via special command. The \-\-sslcertck
command line or sslcertck run control file option should be used to
force strict certificate checking - see below.
diff -up fetchmail-6.3.26/imap.c.orig fetchmail-6.3.26/imap.c
--- fetchmail-6.3.26/imap.c.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/imap.c 2016-05-02 14:14:34.906139594 +0200
@@ -405,6 +405,8 @@ static int imap_getauth(int sock, struct
/* apply for connection authorization */
{
int ok = 0;
+ char *commonname;
+
(void)greeting;
/*
@@ -429,25 +431,21 @@ static int imap_getauth(int sock, struct
return(PS_SUCCESS);
}
-#ifdef SSL_ENABLE
- if (maybe_tls(ctl)) {
- char *commonname;
-
- commonname = ctl->server.pollname;
- if (ctl->server.via)
- commonname = ctl->server.via;
- if (ctl->sslcommonname)
- commonname = ctl->sslcommonname;
+ commonname = ctl->server.pollname;
+ if (ctl->server.via)
+ commonname = ctl->server.via;
+ if (ctl->sslcommonname)
+ commonname = ctl->sslcommonname;
- if (strstr(capabilities, "STARTTLS")
- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
+#ifdef SSL_ENABLE
+ if (maybe_starttls(ctl)) {
+ if ((strstr(capabilities, "STARTTLS") && maybe_starttls(ctl))
+ || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
{
- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
- * protocol that will work with STARTTLS. Don't need to worry
- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
- * (see below). */
+ /* Don't need to worry whether TLS is mandatory or
+ * opportunistic unless SSLOpen() fails (see below). */
if (gen_transact(sock, "STARTTLS") == PS_SUCCESS
- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
ctl->server.pollname, &ctl->remotename)) != -1)
{
@@ -470,7 +468,7 @@ static int imap_getauth(int sock, struct
{
report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
}
- } else if (must_tls(ctl)) {
+ } else if (must_starttls(ctl)) {
/* Config required TLS but we couldn't guarantee it, so we must
* stop. */
set_timeout(0);
@@ -492,6 +490,10 @@ static int imap_getauth(int sock, struct
/* Usable. Proceed with authenticating insecurely. */
}
}
+ } else {
+ if (strstr(capabilities, "STARTTLS") && outlevel >= O_VERBOSE) {
+ report(stdout, GT_("%s: WARNING: server offered STARTTLS but sslproto '' given.\n"), commonname);
+ }
}
#endif /* SSL_ENABLE */
diff -up fetchmail-6.3.26/Makefile.am.orig fetchmail-6.3.26/Makefile.am
--- fetchmail-6.3.26/Makefile.am.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/Makefile.am 2016-05-02 14:14:34.906139594 +0200
@@ -31,7 +31,7 @@ libfm_a_SOURCES= xmalloc.c base64.c rfc8
servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
libesmtp/gethostbyname.h libesmtp/gethostbyname.c \
- smbtypes.h fm_getaddrinfo.c tls.c rfc822valid.c \
+ smbtypes.h fm_getaddrinfo.c starttls.c rfc822valid.c \
xmalloc.h sdump.h sdump.c x509_name_match.c \
fm_strl.h md5c.c
if NTLM_ENABLE
diff -up fetchmail-6.3.26/Makefile.in.orig fetchmail-6.3.26/Makefile.in
--- fetchmail-6.3.26/Makefile.in.orig 2013-04-23 23:36:56.000000000 +0200
+++ fetchmail-6.3.26/Makefile.in 2016-05-02 14:14:34.906139594 +0200
@@ -97,14 +97,14 @@ am__libfm_a_SOURCES_DIST = xmalloc.c bas
rfc2047e.c servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
x509_name_match.c fm_strl.h md5c.c ntlmsubr.c
@NTLM_ENABLE_TRUE@am__objects_1 = ntlmsubr.$(OBJEXT)
am_libfm_a_OBJECTS = xmalloc.$(OBJEXT) base64.$(OBJEXT) \
rfc822.$(OBJEXT) report.$(OBJEXT) rfc2047e.$(OBJEXT) \
servport.$(OBJEXT) smbdes.$(OBJEXT) smbencrypt.$(OBJEXT) \
smbmd4.$(OBJEXT) smbutil.$(OBJEXT) gethostbyname.$(OBJEXT) \
- fm_getaddrinfo.$(OBJEXT) tls.$(OBJEXT) rfc822valid.$(OBJEXT) \
+ fm_getaddrinfo.$(OBJEXT) starttls.$(OBJEXT) rfc822valid.$(OBJEXT) \
sdump.$(OBJEXT) x509_name_match.$(OBJEXT) md5c.$(OBJEXT) \
$(am__objects_1)
libfm_a_OBJECTS = $(am_libfm_a_OBJECTS)
@@ -483,7 +483,7 @@ libfm_a_SOURCES = xmalloc.c base64.c rfc
servport.c ntlm.h smbbyteorder.h smbdes.h smbmd4.h \
smbencrypt.h smbdes.c smbencrypt.c smbmd4.c smbutil.c \
libesmtp/gethostbyname.h libesmtp/gethostbyname.c smbtypes.h \
- fm_getaddrinfo.c tls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
+ fm_getaddrinfo.c starttls.c rfc822valid.c xmalloc.h sdump.h sdump.c \
x509_name_match.c fm_strl.h md5c.c $(am__append_1)
libfm_a_LIBADD = $(EXTRAOBJ)
libfm_a_DEPENDENCIES = $(EXTRAOBJ)
diff -up fetchmail-6.3.26/NEWS.orig fetchmail-6.3.26/NEWS
--- fetchmail-6.3.26/NEWS.orig 2013-04-23 23:35:49.000000000 +0200
+++ fetchmail-6.3.26/NEWS 2016-05-02 14:14:34.907139597 +0200
@@ -53,9 +53,33 @@ removed from a 6.4.0 or newer release.)
fetchmail may switch to a different SSL library.
* SSLv2 support will be removed from a future fetchmail release. It has been
obsolete for more than a decade.
-
+* SSLv3 support may be removed from a future fetchmail release. It has been
+ obsolete for many years and found insecure. Use TLS.
--------------------------------------------------------------------------------
+## SECURITY FIXES THAT AFFECT BEHAVIOUR AND MAY WANT RECONFIGURATION
+* Fetchmail no longer attempts to negotiate SSLv3 by default,
+ even with --sslproto ssl23. Fetchmail can now use SSLv3, or TLSv1.1 or a newer
+ TLS version, with STLS/STARTTLS (it would previously force TLSv1.0). If the
+ OpenSSL version used at build and run-time supports these versions, -sslproto
+ ssl3 can be used to enable this specific version. Doing so is discouraged
+ because these protocols are broken.
+
+ Along the lines suggested - as patch - by Kurt Roeckx, Debian Bug #768843.
+
+ While this change is supposed to be compatible with common configurations,
+ users are advised to change all explicit --sslproto ssl2, --sslproto
+ ssl3, --sslproto tls1 to --sslproto auto, so that they can enable TLSv1.1 and
+ TLSv1.2 on systems with OpenSSL 1.0.1 or newer.
+
+ The --sslproto option now understands the values auto, tls1+, tls1.1+,
+ tls1.2+ (case insensitively).
+
+## CHANGES
+* Fetchmail now supports --sslproto auto and --sslproto tls1+ (same as ssl23).
+* --sslproto tls1.1+ and tls1.2+ are now supported for auto-negotiation with a
+ minimum specified TLS protocol version.
+
fetchmail-6.3.26 (released 2013-04-23, 26180 LoC):
# NOTE THAT FETCHMAIL IS NO LONGER PUBLISHED THROUGH IBIBLIO.
@@ -75,6 +99,11 @@ fetchmail-6.3.26 (released 2013-04-23, 2
Fixes Launchpad Bug#1171818.
+* Fix SSL-enabled build on systems that do not declare SSLv3_client_method().
+ Related to Debian Bug#775255.
+* Version report lists -SSLv3 on +SSL builds that omit SSLv3_client_method().
+* Version report lists -SSLv2 on +SSL builds that omit SSLv2_client_method().
+
# KNOWN BUGS AND WORKAROUNDS
(This section floats upwards through the NEWS file so it stays with the
current release information)
diff -up fetchmail-6.3.26/pop3.c.orig fetchmail-6.3.26/pop3.c
--- fetchmail-6.3.26/pop3.c.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/pop3.c 2016-05-02 14:14:34.907139597 +0200
@@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct
#endif /* OPIE_ENABLE */
#ifdef SSL_ENABLE
flag connection_may_have_tls_errors = FALSE;
+ char *commonname;
#endif /* SSL_ENABLE */
done_capa = FALSE;
@@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct
(ctl->server.authenticate == A_KERBEROS_V5) ||
(ctl->server.authenticate == A_OTP) ||
(ctl->server.authenticate == A_CRAM_MD5) ||
- maybe_tls(ctl))
+ maybe_starttls(ctl))
{
if ((ok = capa_probe(sock)) != PS_SUCCESS)
/* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */
@@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct
(ok == PS_SOCKET && !ctl->wehaveauthed))
{
#ifdef SSL_ENABLE
- if (must_tls(ctl)) {
+ if (must_starttls(ctl)) {
/* fail with mandatory STLS without repoll */
report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n"));
report(stderr, GT_("The CAPA command is however necessary for TLS.\n"));
return ok;
- } else if (maybe_tls(ctl)) {
+ } else if (maybe_starttls(ctl)) {
/* defeat opportunistic STLS */
xfree(ctl->sslproto);
ctl->sslproto = xstrdup("");
@@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct
}
#ifdef SSL_ENABLE
- if (maybe_tls(ctl)) {
- char *commonname;
+ commonname = ctl->server.pollname;
+ if (ctl->server.via)
+ commonname = ctl->server.via;
+ if (ctl->sslcommonname)
+ commonname = ctl->sslcommonname;
- commonname = ctl->server.pollname;
- if (ctl->server.via)
- commonname = ctl->server.via;
- if (ctl->sslcommonname)
- commonname = ctl->sslcommonname;
-
- if (has_stls
- || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */
+ if (maybe_starttls(ctl)) {
+ if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */
{
- /* Use "tls1" rather than ctl->sslproto because tls1 is the only
- * protocol that will work with STARTTLS. Don't need to worry
- * whether TLS is mandatory or opportunistic unless SSLOpen() fails
- * (see below). */
+ /* Don't need to worry whether TLS is mandatory or
+ * opportunistic unless SSLOpen() fails (see below). */
if (gen_transact(sock, "STLS") == PS_SUCCESS
- && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck,
+ && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck,
ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname,
ctl->server.pollname, &ctl->remotename)) != -1)
{
@@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct
{
report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
}
- } else if (must_tls(ctl)) {
+ } else if (must_starttls(ctl)) {
/* Config required TLS but we couldn't guarantee it, so we must
* stop. */
set_timeout(0);
@@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct
}
}
}
- } /* maybe_tls() */
+ } else { /* maybe_starttls() */
+ if (has_stls && outlevel >= O_VERBOSE) {
+ report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname);
+ }
+ } /* maybe_starttls() */
#endif /* SSL_ENABLE */
/*
diff -up fetchmail-6.3.26/README.SSL.orig fetchmail-6.3.26/README.SSL
--- fetchmail-6.3.26/README.SSL.orig 2013-01-02 23:38:24.000000000 +0100
+++ fetchmail-6.3.26/README.SSL 2016-05-02 14:14:34.907139597 +0200
@@ -11,36 +11,48 @@ specific to fetchmail.
In case of troubles, mail the README.SSL-SERVER file to your ISP and
have them check their server configuration against it.
-Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether
-a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is
-totally SSL-wrapped on a separate port. For compatibility reasons, this cannot
-be fixed in a bugfix release.
+Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether a
+service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4)
+or is totally SSL-wrapped on a separate port. For compatibility
+reasons, this cannot be fixed in a bugfix or minor release.
-- Matthias Andree, 2009-05-09
+Also, fetchmail 6.4.0 and newer releases (this is also true for this release,
+as the changes were backported from upstream - noted by Red Hat) changed
+some of the semantics as the result of a bug-fix, and will auto-negotiate
+TLSv1 or newer only. If your server does not support this, you may have
+to specify --sslproto ssl3. This is in order to prefer the newer TLS
+protocols, because SSLv2 and v3 are broken.
+
+ -- Matthias Andree, 2015-01-16
+
Quickstart
----------
+Use an up-to-date release of OpenSSL 1.0.1 or newer, so as to get
+TLSv1.2 support.
+
For use of SSL or TLS with in-band negotiation on the regular service's port,
i. e. with STLS or STARTTLS, use these command line options
- --sslproto tls1 --sslcertck
+ --sslproto auto --sslcertck
or these options in the rcfile (after the respective "user"... options)
- sslproto tls1 sslcertck
+ sslproto auto sslcertck
For use of SSL or TLS on a separate port, if the whole TCP connection is
-SSL-encrypted from the very beginning, use these command line options (in the
-rcfile, omit all leading "--"):
+SSL-encrypted from the very beginning (SSL- or TLS-wrapped), use these
+command line options (in the rcfile, omit all leading "--"):
- --ssl --sslproto ssl3 --sslcertck
+ --ssl --sslproto auto --sslcertck
or these options in the rcfile (after the respective "user"... options)
- ssl sslproto ssl3 sslcertck
+ ssl sslproto auto sslcertck
Background and use (long version :-))
diff -up fetchmail-6.3.26/socket.c.orig fetchmail-6.3.26/socket.c
--- fetchmail-6.3.26/socket.c.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/socket.c 2016-05-02 14:16:27.711570350 +0200
@@ -876,6 +876,9 @@ int SSLOpen(int sock, char *mycert, char
{
struct stat randstat;
int i;
+ /* disable SSLv2 and SSLv3 by default. SSLv2 can be enabled with '--sslproto ssl2'.
+ SSLv3 can be enabled with '--sslproto ssl3' or '--sslproto ssl3+' */
+ int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
long sslopts = SSL_OP_ALL;
SSL_load_error_strings();
@@ -910,21 +913,61 @@ int SSLOpen(int sock, char *mycert, char
#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
#else
- report(stderr, GT_("Your operating system does not support SSLv2.\n"));
+ report(stderr, GT_("Your OpenSSL version does not support SSLv2.\n"));
return -1;
#endif
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv2;
} else if(!strcasecmp("ssl3",myproto)) {
+#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
+#else
+ report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n"));
+ return -1;
+#endif
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
+ } else if(!strcasecmp("ssl3+",myproto)) {
+ avoid_ssl_versions &= ~SSL_OP_NO_SSLv3;
+ myproto = NULL;
} else if(!strcasecmp("tls1",myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
- } else if (!strcasecmp("ssl23",myproto)) {
+ } else if(!strcasecmp("tls1+",myproto)) {
+ myproto = NULL;
+#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION
+ } else if(!strcasecmp("tls1.1",myproto)) {
+ _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method());
+ } else if(!strcasecmp("tls1.1+",myproto)) {
+ myproto = NULL;
+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
+#else
+ } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) {
+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n"));
+ return -1;
+#endif
+#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION
+ } else if(!strcasecmp("tls1.2",myproto)) {
+ _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method());
+ } else if(!strcasecmp("tls1.2+",myproto)) {
+ myproto = NULL;
+ avoid_ssl_versions |= SSL_OP_NO_TLSv1;
+ avoid_ssl_versions |= SSL_OP_NO_TLSv1_1;
+#else
+ } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) {
+ report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n"));
+ return -1;
+#endif
+ } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) {
myproto = NULL;
} else {
- report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
+ report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto);
myproto = NULL;
}
}
+ // do not combine into an else { } as myproto may be nulled
+ // above!
if(!myproto) {
+ // SSLv23 is a misnomer and will in fact use the best
+ // available protocol, subject to SSL_OP_NO*
+ // constraints.
_ctx[sock] = SSL_CTX_new(SSLv23_client_method());
}
if(_ctx[sock] == NULL) {
@@ -938,7 +981,7 @@ int SSLOpen(int sock, char *mycert, char
sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
}
- SSL_CTX_set_options(_ctx[sock], sslopts);
+ SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions);
if (certck) {
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
@@ -1017,6 +1060,24 @@ int SSLOpen(int sock, char *mycert, char
return(-1);
}
+ if (outlevel >= O_VERBOSE) {
+ SSL_CIPHER const *sc;
+ int bitsmax, bitsused;
+
+ const char *ver;
+
+ ver = SSL_get_version(_ssl_context[sock]);
+
+ sc = SSL_get_current_cipher(_ssl_context[sock]);
+ if (!sc) {
+ report (stderr, GT_("Cannot obtain current SSL/TLS cipher - no session established?\n"));
+ } else {
+ bitsused = SSL_CIPHER_get_bits(sc, &bitsmax);
+ report(stdout, GT_("SSL/TLS: using protocol %s, cipher %s, %d/%d secret/processed bits\n"),
+ ver, SSL_CIPHER_get_name(sc), bitsused, bitsmax);
+ }
+ }
+
/* Paranoia: was the callback not called as we expected? */
if (!_depth0ck) {
report(stderr, GT_("Certificate/fingerprint verification was somehow skipped!\n"));
diff -up fetchmail-6.3.26/starttls.c.orig fetchmail-6.3.26/starttls.c
--- fetchmail-6.3.26/starttls.c.orig 2016-05-02 14:14:34.908139601 +0200
+++ fetchmail-6.3.26/starttls.c 2016-05-02 14:14:34.908139601 +0200
@@ -0,0 +1,37 @@
+/** \file tls.c - collect common TLS functionality
+ * \author Matthias Andree
+ * \date 2006
+ */
+
+#include "fetchmail.h"
+
+#include <string.h>
+
+#ifdef HAVE_STRINGS_H
+#include <strings.h>
+#endif
+
+/** return true if user allowed opportunistic STARTTLS/STLS */
+int maybe_starttls(struct query *ctl) {
+#ifdef SSL_ENABLE
+ /* opportunistic or forced TLS */
+ return (!ctl->sslproto || strlen(ctl->sslproto))
+ && !ctl->use_ssl;
+#else
+ (void)ctl;
+ return 0;
+#endif
+}
+
+/** return true if user requires STARTTLS/STLS, note though that this
+ * code must always use a logical AND with maybe_tls(). */
+int must_starttls(struct query *ctl) {
+#ifdef SSL_ENABLE
+ return maybe_starttls(ctl)
+ && (ctl->sslfingerprint || ctl->sslcertck
+ || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
+#else
+ (void)ctl;
+ return 0;
+#endif
+}
diff -up fetchmail-6.3.26/tls.c.orig fetchmail-6.3.26/tls.c
--- fetchmail-6.3.26/tls.c.orig 2013-04-23 22:00:45.000000000 +0200
+++ fetchmail-6.3.26/tls.c 2016-05-02 14:14:34.908139601 +0200
@@ -1,35 +0,0 @@
-/** \file tls.c - collect common TLS functionality
- * \author Matthias Andree
- * \date 2006
- */
-
-#include "fetchmail.h"
-
-#ifdef HAVE_STRINGS_H
-#include <strings.h>
-#endif
-
-/** return true if user allowed TLS */
-int maybe_tls(struct query *ctl) {
-#ifdef SSL_ENABLE
- /* opportunistic or forced TLS */
- return (!ctl->sslproto || !strcasecmp(ctl->sslproto,"tls1"))
- && !ctl->use_ssl;
-#else
- (void)ctl;
- return 0;
-#endif
-}
-
-/** return true if user requires TLS, note though that this code must
- * always use a logical AND with maybe_tls(). */
-int must_tls(struct query *ctl) {
-#ifdef SSL_ENABLE
- return maybe_tls(ctl)
- && (ctl->sslfingerprint || ctl->sslcertck
- || (ctl->sslproto && !strcasecmp(ctl->sslproto, "tls1")));
-#else
- (void)ctl;
- return 0;
-#endif
-}

7
SOURCES/fetchmail-6.3.26.tar.xz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEABECAAYFAlF2/zAACgkQvmGDOQUufZU65ACgsCpaBSklzY/wF9lYX8xLeOPZ
KFAAniIj07N3WeMmWtOHUcmqbJjbl0QU
=3T6y
-----END PGP SIGNATURE-----

16
SOURCES/fetchmail-6.4.24.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmGYwTUACgkQ5BKxVu/z
hVqeGA//VRV5nPsdlKbla2N78fFCGX6A7UF2UDFJsivAP3KzQRZWc2YFQ+GQJ3l7
WPhnyeUrfomrv6QAstMEJ4D+Kymga018qOTNmHmaU5I2lToEJV87EAoo5QjlzbwX
wIP7wNapOCAxcOWc4Mux8nR1mH89/TlS+lV2KoHYDVB0zn1KdGvqJYSQUHeDSis+
vVA9Wj6LiKPO4cZ6l5ki3x9qiOyNJ5jqiZPxdJz8mZfY+h18oxMpd7GssXi1utC9
CLt9kbryW0yCPvnetgKOL5OyEbTW6fbWJhggj7eb4YI5M1YBGMe5xfdlUgVznG5b
mfjc5Rb6x709CCtOSxcYgXjDDdyHhTWEP/TiO/FQOWjUgydtTI3yiNBTFbkxsJZw
rOLDLMHkbbrbKULY8uMREFTX0OSLwfM5BC3yG4/OiLizHlkntPcwdWx+5Stp+45E
L3WTPyMzn06yyd84hewgQx8xlYcOBSwZerdILVuAeeRZBCplrAbzBW9rn9/na+Ak
VtzkgSFyPAH63+G+iOEaG3nLeNqxDnlZHtD6youL7HfhON3W2siAodDk+X/omGaB
HDiCs/7HcQGDp8JspDSNqTM7bHPJn9gHGhQxR13ywRSulov1dMwoduL8iIAse1Yp
uqtg1vg4WAI+3ujPs7vGgu+OtD4qy2smo4e6kLNJy0yVVXp2aD8=
=604d
-----END PGP SIGNATURE-----

16
SPECS/fetchmail.spec
View File

@ -1,18 +1,13 @@
Summary: A remote mail retrieval and forwarding utility
Name: fetchmail
Version: 6.3.26
Release: 19%{?dist}
Version: 6.4.24
Release: 1%{?dist}
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz
Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc
# systemd service file
Source2: fetchmail.service
# example configuration file
Source3: fetchmailrc.example
# Improves SSL related options
Patch0: fetchmail-6.3.26-ssl-backport.patch
# Minor fixes of inacurracies in options, usage message and man page (accepted upstream)
Patch1: fetchmail-6.3.26-options-usage-manpage.patch
Patch2: fetchmail-6.3.24-sslv3-in-ssllib-check.patch
URL: http://www.fetchmail.info/
# For a breakdown of the licensing, see COPYING
License: GPL+ and Public Domain
@ -32,9 +27,6 @@ connections.
%prep
%setup -q
%patch0 -p1 -b .ssl-backport
%patch1 -p1 -b .options-usage-manpage
%patch2 -p1 -b .sslv3-in-ssllib-check
%build
%configure --enable-POP3 --enable-IMAP --with-ssl --without-hesiod \
@ -69,6 +61,10 @@ rm -f $RPM_BUILD_ROOT%{python3_sitelib}/fetchmailconf.py*
%config(noreplace) %attr(0600, mail, mail) %{_sysconfdir}/fetchmailrc.example
%changelog
* Tue Dec 14 2021 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.4.24-1
- Update to fetchmail-6.4.24 (fixes CVE-2021-36386 and CVE-2021-39272)
Resolves: #1999275, #2002698
* Wed Nov 28 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 6.3.26-19
- Remove hesiod dependency
Resolves: #1638490