HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

[Matthias Andree]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna, and everyone else who is interested,

checking <https://cygwin.com/packages/summary/fetchmail.html>,
I see that Cygwin packages a very old fetchmail version that has unfixed
security vulnerabilities and unfixed critical (data loss) bugs.

Constructively moving forward, please:

1. I am about to release 6.4.0 in a few weeks' time with a few important
SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
sufficiently new OpenSSL.
We're shy of 200 commits since the last formal release 6.3.26, and 276
changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
High-level details in the NEWS file linked below. Care was taken to not
break the interfaces too hard, but in the sense of security, I carefully
changed --sslproto semantics and flipped the switch

2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
since 6.3.21/6.3.22.
Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
details, and look for these two capitalized words.

3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
libssl1.1, and see if you find any portability issues that would require
fixing before 6.4.0. Deadline end of August 2019, and unless really
needed for non-trivial code changes, rc2 is also the planned final
candidate.

Source tarballs and detached ASCII-armored GnuPG signatures at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

Thanks for your consideration.

Regards,
Matthias Andree - upstream fetchmail maintainer

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAl1cMpoACgkQ5BKxVu/z
hVrMORAAtRXCpG6lTsZNdPuu5NDquyWia6sfzptFl7FaNoD8cB2hTsoS7lBgW0VQ
ulL2Y1xYdR4+JCg0i7656ZQhzpVM2qKnect4oFFfo5mx1vkrQYQQMiB3FACPF3zU
OItP7nEngfmL30aDynYkrPH1+P4BY8GyZHML6KnD53jKNu5ZZBijGztV0HYjjAUd
Nhmxm5GdF5uB1V6v4/c8cXDEf2xBdgMwBiU02YPLVI/8zixZR3EXLdNVcggl0Qbm
5+xe4oTw6EqY2VxUm9obs/U17bWm/10afcmm6ioo0xUXSTq5asF+2HD5WipHuhiW
Zm/PPK6SVOwi32M2gzXqb3ZDqtuH9byUKZQw+LGVePsjrU1jU8F84c+5iq35g1RX
TCloJWckBdflXR4Jda6yvlZstm6pd1PnQVXdw5Wl1Nwb+wAvEbV++dIvCbZuRKgI
kEZBUOApyI8J0LMalxCyGAIykY+VLDsFSbcgCDuAFvrjpIyBBcKC2z0x2Y4gpxSS
q4oLhTdjv+WUbVHBwN/NjroMhoNrX7zpFnGQFFjK2zVlSMMR+/aIsUUTX0v6aXZk
WMMRrhtE1wiIgn7fqgxJ5oukz1Cp5qKB8NIIt5g+VgvZPpwuXXiaZ5Hw81wENzaL
VN998lBF3q3K6+VDhmvdXFcilrgW5XnMoPOfTqlDKXYV5G8KY6k=
=v7yh
-----END PGP SIGNATURE-----



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

[Achim Gratz]

Matthias Andree writes:
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
> candidate.

The package builds without any trouble on both architectures (I've
enabled Kerberos5, GSSAPI and NTLM also).  The tests skip the two XHTML
validation tests, I have not been able to find out why that is.

> Source tarballs and detached ASCII-armored GnuPG signatures at
> <https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

Where's the public key for that signature?


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

DIY Stuff:
http://Synth.Stromeko.net/DIY.html

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

Hi Matthias,

On Aug 20 19:49, Matthias Andree wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Corinna, and everyone else who is interested,
> 
> checking <https://cygwin.com/packages/summary/fetchmail.html>,
> I see that Cygwin packages a very old fetchmail version that has unfixed
> security vulnerabilities and unfixed critical (data loss) bugs.
> 
> Constructively moving forward, please:
> 
> 1. I am about to release 6.4.0 in a few weeks' time with a few important
> SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
> OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
> sufficiently new OpenSSL.
> We're shy of 200 commits since the last formal release 6.3.26, and 276
> changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
> High-level details in the NEWS file linked below. Care was taken to not
> break the interfaces too hard, but in the sense of security, I carefully
> changed --sslproto semantics and flipped the switch
> 
> 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
> since 6.3.21/6.3.22.
> Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
> details, and look for these two capitalized words.
> 
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
> candidate.

Builds fine against OpenSSL-1.1.  I can't test it ATM, but I prepared
a test release of the current rc3 for our users

  https://cygwin.com/ml/cygwin-announce/2019-08/msg00022.html


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]