HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Matthias Andree <matthias.andree@gmx.de>
To: cygwin@cygwin.com
Subject: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Date: Tue, 20 Aug 2019 19:44:00 -0000	[thread overview]
Message-ID: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna, and everyone else who is interested,

checking <https://cygwin.com/packages/summary/fetchmail.html>,
I see that Cygwin packages a very old fetchmail version that has unfixed
security vulnerabilities and unfixed critical (data loss) bugs.

Constructively moving forward, please:

1. I am about to release 6.4.0 in a few weeks' time with a few important
SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
sufficiently new OpenSSL.
We're shy of 200 commits since the last formal release 6.3.26, and 276
changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
High-level details in the NEWS file linked below. Care was taken to not
break the interfaces too hard, but in the sense of security, I carefully
changed --sslproto semantics and flipped the switch

2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
since 6.3.21/6.3.22.
Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
details, and look for these two capitalized words.

3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
libssl1.1, and see if you find any portability issues that would require
fixing before 6.4.0. Deadline end of August 2019, and unless really
needed for non-trivial code changes, rc2 is also the planned final
candidate.

Source tarballs and detached ASCII-armored GnuPG signatures at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

Thanks for your consideration.

Regards,
Matthias Andree - upstream fetchmail maintainer

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAl1cMpoACgkQ5BKxVu/z
hVrMORAAtRXCpG6lTsZNdPuu5NDquyWia6sfzptFl7FaNoD8cB2hTsoS7lBgW0VQ
ulL2Y1xYdR4+JCg0i7656ZQhzpVM2qKnect4oFFfo5mx1vkrQYQQMiB3FACPF3zU
OItP7nEngfmL30aDynYkrPH1+P4BY8GyZHML6KnD53jKNu5ZZBijGztV0HYjjAUd
Nhmxm5GdF5uB1V6v4/c8cXDEf2xBdgMwBiU02YPLVI/8zixZR3EXLdNVcggl0Qbm
5+xe4oTw6EqY2VxUm9obs/U17bWm/10afcmm6ioo0xUXSTq5asF+2HD5WipHuhiW
Zm/PPK6SVOwi32M2gzXqb3ZDqtuH9byUKZQw+LGVePsjrU1jU8F84c+5iq35g1RX
TCloJWckBdflXR4Jda6yvlZstm6pd1PnQVXdw5Wl1Nwb+wAvEbV++dIvCbZuRKgI
kEZBUOApyI8J0LMalxCyGAIykY+VLDsFSbcgCDuAFvrjpIyBBcKC2z0x2Y4gpxSS
q4oLhTdjv+WUbVHBwN/NjroMhoNrX7zpFnGQFFjK2zVlSMMR+/aIsUUTX0v6aXZk
WMMRrhtE1wiIgn7fqgxJ5oukz1Cp5qKB8NIIt5g+VgvZPpwuXXiaZ5Hw81wENzaL
VN998lBF3q3K6+VDhmvdXFcilrgW5XnMoPOfTqlDKXYV5G8KY6k=
=v7yh
-----END PGP SIGNATURE-----

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

next             reply	other threads:[~2019-08-20 18:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-20 19:44 Matthias Andree [this message]
2019-08-21 19:39 ` Achim Gratz
2019-08-28 12:55 ` Corinna Vinschen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de \
    --to=matthias.andree@gmx.de \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).