From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-return-217747-listarch-cygwin=sourceware.org@cygwin.com>
Received: (qmail 82369 invoked by alias); 28 Aug 2019 12:53:02 -0000
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Received: (qmail 82358 invoked by uid 89); 28 Aug 2019 12:53:01 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-104.9 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2,GOOD_FROM_CORINNA_CYGWIN,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=MESSAGE, cygwin-announce, cygwinannounce, SECURITY
X-HELO: mout.kundenserver.de
Received: from mout.kundenserver.de (HELO mout.kundenserver.de) (212.227.126.133) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 28 Aug 2019 12:53:00 +0000
Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPSA (Nemesis) id 1N6KML-1iIdk03gID-016iSp; Wed, 28 Aug 2019 14:52:57 +0200
Received: by calimero.vinschen.de (Postfix, from userid 500)	id 45808A804B1; Wed, 28 Aug 2019 14:52:57 +0200 (CEST)
Date: Wed, 28 Aug 2019 12:55:00 -0000
From: Corinna Vinschen <corinna-cygwin@cygwin.com>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: cygwin@cygwin.com
Subject: Re: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Message-ID: <20190828125257.GJ11632@calimero.vinschen.de>
Reply-To: cygwin@cygwin.com
Mail-Followup-To: Matthias Andree <matthias.andree@gmx.de>,	cygwin@cygwin.com
References: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="jTIjG9KbdIQeEVp/"
Content-Disposition: inline
In-Reply-To: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de>
User-Agent: Mutt/1.11.3 (2019-02-01)
X-SW-Source: 2019-08/txt/msg00363.txt.bz2

--jTIjG9KbdIQeEVp/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-length: 1788

Hi Matthias,

On Aug 20 19:49, Matthias Andree wrote:
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>=20
> Corinna, and everyone else who is interested,
>=20
> checking <https://cygwin.com/packages/summary/fetchmail.html>,
> I see that Cygwin packages a very old fetchmail version that has unfixed
> security vulnerabilities and unfixed critical (data loss) bugs.
>=20
> Constructively moving forward, please:
>=20
> 1. I am about to release 6.4.0 in a few weeks' time with a few important
> SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
> OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
> sufficiently new OpenSSL.
> We're shy of 200 commits since the last formal release 6.3.26, and 276
> changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
> High-level details in the NEWS file linked below. Care was taken to not
> break the interfaces too hard, but in the sense of security, I carefully
> changed --sslproto semantics and flipped the switch
>=20
> 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
> since 6.3.21/6.3.22.
> Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
> details, and look for these two capitalized words.
>=20
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
> candidate.

Builds fine against OpenSSL-1.1.  I can't test it ATM, but I prepared
a test release of the current rc3 for our users

  https://cygwin.com/ml/cygwin-announce/2019-08/msg00022.html


Thanks,
Corinna

--=20
Corinna Vinschen
Cygwin Maintainer

--jTIjG9KbdIQeEVp/
Content-Type: application/pgp-signature; name="signature.asc"
Content-length: 833

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEoVYPmneWZnwT6kwF9TYGna5ET6AFAl1meSkACgkQ9TYGna5E
T6CH0A/+OPj5A95T1DW4jh8PvFFDNDtTMUjaKPO1DOf69qJAhtzDD0j9apCJt2Wd
q3PjC1nAdTH/9ysrZ9Ud290SIBTwCU1vrAni+niKCEjW/iPfUcOriOfjPh5KYGHK
lDanCEq/7j816630CFsp+PCNtVLBHBTot8pU8lECdES6ag1msJB9W6mrw0xVyh+Q
Dvk3o74ELTdxl7bCDBuhG7A2jR25XtPk2ryfHYrOreaA0XEM0bSY8gw31MjVBNiA
oPHD5q9g5IPGAFuu1g3OMtPLCZK83Rtug2R/KGSieEVCLPue8CjWDxPs4Q7IRgaJ
9hUfWuLP9vpLuXxK/LWpjGuAD9Jb2Sv6qKIlUVw7Q9APXDucd7Y6GGmBTW2ZRXys
HdEtErwtigsXqaaZ1NbR2oHHkKB99nd+8LfwTN59+AdAbcDPRogwGleGcCYSMYuV
TIj0M1vPYpbFIcZIrmInLBY6SD1DDggvFJci3N1bjej0Uoz1bBCiTgE1YAOn9cMT
O4XN/9SJsiXVMvr9o+3HUAdbb6NM5KT1SbTaPoX7fs4ku4WU/iaxt2BTRj7J8Yzk
1Rcz0sDMz/O7B1VzJhbIWc51pTTTRxYohQN9VrL+dk6b9832ak8z0+d7s4140FVM
AH69a7gRvA5fQ154QtPFieMGl2al/1R6iLHRcqMvMDKdj26lYU4=
=PfD8
-----END PGP SIGNATURE-----

--jTIjG9KbdIQeEVp/--