From: Matthias Andree <matthias.andree@gmx.de>
To: cygwin@cygwin.com
Subject: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Date: Tue, 20 Aug 2019 19:44:00 -0000 [thread overview]
Message-ID: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Corinna, and everyone else who is interested,
checking <https://cygwin.com/packages/summary/fetchmail.html>,
I see that Cygwin packages a very old fetchmail version that has unfixed
security vulnerabilities and unfixed critical (data loss) bugs.
Constructively moving forward, please:
1. I am about to release 6.4.0 in a few weeks' time with a few important
SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
sufficiently new OpenSSL.
We're shy of 200 commits since the last formal release 6.3.26, and 276
changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
High-level details in the NEWS file linked below. Care was taken to not
break the interfaces too hard, but in the sense of security, I carefully
changed --sslproto semantics and flipped the switch
2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
since 6.3.21/6.3.22.
Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
details, and look for these two capitalized words.
3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
libssl1.1, and see if you find any portability issues that would require
fixing before 6.4.0. Deadline end of August 2019, and unless really
needed for non-trivial code changes, rc2 is also the planned final
candidate.
Source tarballs and detached ASCII-armored GnuPG signatures at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.
Thanks for your consideration.
Regards,
Matthias Andree - upstream fetchmail maintainer
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAl1cMpoACgkQ5BKxVu/z
hVrMORAAtRXCpG6lTsZNdPuu5NDquyWia6sfzptFl7FaNoD8cB2hTsoS7lBgW0VQ
ulL2Y1xYdR4+JCg0i7656ZQhzpVM2qKnect4oFFfo5mx1vkrQYQQMiB3FACPF3zU
OItP7nEngfmL30aDynYkrPH1+P4BY8GyZHML6KnD53jKNu5ZZBijGztV0HYjjAUd
Nhmxm5GdF5uB1V6v4/c8cXDEf2xBdgMwBiU02YPLVI/8zixZR3EXLdNVcggl0Qbm
5+xe4oTw6EqY2VxUm9obs/U17bWm/10afcmm6ioo0xUXSTq5asF+2HD5WipHuhiW
Zm/PPK6SVOwi32M2gzXqb3ZDqtuH9byUKZQw+LGVePsjrU1jU8F84c+5iq35g1RX
TCloJWckBdflXR4Jda6yvlZstm6pd1PnQVXdw5Wl1Nwb+wAvEbV++dIvCbZuRKgI
kEZBUOApyI8J0LMalxCyGAIykY+VLDsFSbcgCDuAFvrjpIyBBcKC2z0x2Y4gpxSS
q4oLhTdjv+WUbVHBwN/NjroMhoNrX7zpFnGQFFjK2zVlSMMR+/aIsUUTX0v6aXZk
WMMRrhtE1wiIgn7fqgxJ5oukz1Cp5qKB8NIIt5g+VgvZPpwuXXiaZ5Hw81wENzaL
VN998lBF3q3K6+VDhmvdXFcilrgW5XnMoPOfTqlDKXYV5G8KY6k=
=v7yh
-----END PGP SIGNATURE-----
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next reply other threads:[~2019-08-20 18:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 19:44 Matthias Andree [this message]
2019-08-21 19:39 ` Achim Gratz
2019-08-28 12:55 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de \
--to=matthias.andree@gmx.de \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).