HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Wed Aug 28 12:55:00 GMT 2019
On Aug 20 19:49, Matthias Andree wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Corinna, and everyone else who is interested,
> checking <https://cygwin.com/packages/summary/fetchmail.html>,
> I see that Cygwin packages a very old fetchmail version that has unfixed
> security vulnerabilities and unfixed critical (data loss) bugs.
> Constructively moving forward, please:
> 1. I am about to release 6.4.0 in a few weeks' time with a few important
> SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
> OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
> sufficiently new OpenSSL.
> We're shy of 200 commits since the last formal release 6.3.26, and 276
> changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
> High-level details in the NEWS file linked below. Care was taken to not
> break the interfaces too hard, but in the sense of security, I carefully
> changed --sslproto semantics and flipped the switch
> 2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
> since 6.3.21/6.3.22.
> Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
> details, and look for these two capitalized words.
> 3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
> libssl1.1, and see if you find any portability issues that would require
> fixing before 6.4.0. Deadline end of August 2019, and unless really
> needed for non-trivial code changes, rc2 is also the planned final
Builds fine against OpenSSL-1.1. I can't test it ATM, but I prepared
a test release of the current rc3 for our users
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the Cygwin