Hi Matthias, On Aug 20 19:49, Matthias Andree wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Corinna, and everyone else who is interested, > > checking , > I see that Cygwin packages a very old fetchmail version that has unfixed > security vulnerabilities and unfixed critical (data loss) bugs. > > Constructively moving forward, please: > > 1. I am about to release 6.4.0 in a few weeks' time with a few important > SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require > OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a > sufficiently new OpenSSL. > We're shy of 200 commits since the last formal release 6.3.26, and 276 > changes past 6.3.21, the younger x86 (32bit) package for Cygwin. > High-level details in the NEWS file linked below. Care was taken to not > break the interfaces too hard, but in the sense of security, I carefully > changed --sslproto semantics and flipped the switch > > 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes > since 6.3.21/6.3.22. > Review for > details, and look for these two capitalized words. > > 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's > libssl1.1, and see if you find any portability issues that would require > fixing before 6.4.0. Deadline end of August 2019, and unless really > needed for non-trivial code changes, rc2 is also the planned final > candidate. Builds fine against OpenSSL-1.1. I can't test it ATM, but I prepared a test release of the current rc3 for our users https://cygwin.com/ml/cygwin-announce/2019-08/msg00022.html Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer