Fetchmail - the mail-retrieval daemon Files

fetchmail-6.6.5 (released 2026-06-17, 32433 LoC):

## SECURITY BUGFIX
* POP3 with RPA: fix calculation of buffer sizes to avoid buffer overflow
  on long service challenges with long user IDs, which would smash our stack.
    Triggering this requires that 1. RPA is enabled at compile time
  (non-default, which is discouraged in autotools, and possible but not
  documented nor supported in meson), and the username (--user option, or user
  in the rcfile) contains @compuserve.com anywhere, and the server supports an
  AUTH command without arguments (which is a non-standard local extension), and
  that it offers RPA authentication in response to that command.

  This was reported based on an incomplete semi-wrong AI report with an
  incomplete fix "recommendation" by zhangph12138@outlook.com via
  fetchmail-devel@.  The fix suggested in that AI report was wrong, and
  would happily crash a few lines later again.  The fix deployed calculates
  the buffer size of "workarea" variables based on the sizeof() of constituent
  components.

## BUGFIX
* Robustness: If RPA is enabled at compile time and POP3 is in use,
  do not barf if @compuserve.com is in the remote site's username (what you'd
  pass as --user, or user in the rcfile) and the remote site either does not
  support an "AUTH" command without parameters (normally, one is required, but
  some servers such as jpop and Cyrus allow AUTH to request the list of
  supported authentication types as an extension; the standard way would be
  a "CAPA" request instead), but try other authentication methods.
  Found by code auditing in response to a bug report against rpa.c.
  Note that enabling RPA is discouraged because it is based on the weak
  MD5 crypto algorithm.

-------------------------------------------------------------------------------