This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out

Hi Matthias,

On Aug 20 19:49, Matthias Andree wrote:
> Hash: SHA256
> Corinna, and everyone else who is interested,
> checking <>,
> I see that Cygwin packages a very old fetchmail version that has unfixed
> security vulnerabilities and unfixed critical (data loss) bugs.
> Constructively moving forward, please:
> 1. I am about to release 6.4.0 in a few weeks' time with a few important
> SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
> OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
> sufficiently new OpenSSL.
> We're shy of 200 commits since the last formal release 6.3.26, and 276
> changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
> High-level details in the NEWS file linked below. Care was taken to not
> break the interfaces too hard, but in the sense of security, I carefully
> changed --sslproto semantics and flipped the switch
> 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
> since 6.3.21/6.3.22.
> Review <> for
> details, and look for these two capitalized words.
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
> candidate.

Builds fine against OpenSSL-1.1.  I can't test it ATM, but I prepared
a test release of the current rc3 for our users


Corinna Vinschen
Cygwin Maintainer

Attachment: signature.asc
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]