From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: cygwin@cygwin.com
Subject: Re: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Date: Wed, 28 Aug 2019 12:55:00 -0000 [thread overview]
Message-ID: <20190828125257.GJ11632@calimero.vinschen.de> (raw)
In-Reply-To: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de>
[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]
Hi Matthias,
On Aug 20 19:49, Matthias Andree wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Corinna, and everyone else who is interested,
>
> checking <https://cygwin.com/packages/summary/fetchmail.html>,
> I see that Cygwin packages a very old fetchmail version that has unfixed
> security vulnerabilities and unfixed critical (data loss) bugs.
>
> Constructively moving forward, please:
>
> 1. I am about to release 6.4.0 in a few weeks' time with a few important
> SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
> OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
> sufficiently new OpenSSL.
> We're shy of 200 commits since the last formal release 6.3.26, and 276
> changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
> High-level details in the NEWS file linked below. Care was taken to not
> break the interfaces too hard, but in the sense of security, I carefully
> changed --sslproto semantics and flipped the switch
>
> 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
> since 6.3.21/6.3.22.
> Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
> details, and look for these two capitalized words.
>
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
> candidate.
Builds fine against OpenSSL-1.1. I can't test it ATM, but I prepared
a test release of the current rc3 for our users
https://cygwin.com/ml/cygwin-announce/2019-08/msg00022.html
Thanks,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2019-08-28 12:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 19:44 Matthias Andree
2019-08-21 19:39 ` Achim Gratz
2019-08-28 12:55 ` Corinna Vinschen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190828125257.GJ11632@calimero.vinschen.de \
--to=corinna-cygwin@cygwin.com \
--cc=cygwin@cygwin.com \
--cc=matthias.andree@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).