Do we need a new maintainer for fetchmail?
Matthias Andree
matthias.andree@gmx.de
Tue Nov 30 14:08:00 GMT 2010
Greetings,
the fetchmail package for Cygwin is at version 6.3.9, released two years ago,
and with known security vulnerabilities and errata:
CVE-2009-2666 - improper TLS cert validation allows MITM attacks to go unnoticed
CVE-2010-1167 - heap overflow in verbose mode
EN-2010-03 - improper SASL/AUTH implementation causes bogus auth failures
And a gazillion of bugfixes since 6.3.9 provided in [1], including critical
fixes for long-standing bugs.
Fetchmail does not currently require Cygwin-specific patches.
I have provided Jason Tishler with up to date packages for the current fetchmail
6.3.18 package (with selected upstream fixes from post-6.3.18 Git) a fortnight
ago, built on Cygwin 1.7.7 32-bit (Win 7), without any response.
I don't mean to take over maintainership, but -- can we do non-maintainer
updates in such situations?
Best regards
Matthias, upstream fetchmail maintainer
[1] <http://gitorious.org/fetchmail/fetchmail/blobs/master/NEWS#line57>
--
Matthias Andree
More information about the Cygwin-apps
mailing list