X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=e4R
	AZP4kCQHh0W73BTPYub9hpD7GcY92k9vOGhlG+dDPI5EhNvltufzLbDNNY4Zo8+F
	Ef9/YnHiYu7l7cP4KnLwle0+ezQIMegW+Lg1y5m2uG9OxgbG2SiXuJ3awSwP3tdG
	tgOaY+0YoxPwwRiS+k/7OKWxBdhiWZ1P+CAEEZco=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:message-id:date:mime-version
	:content-type:content-transfer-encoding; s=default; bh=U39QGoyBs
	8+IWfEUgnYERNYMClw=; b=fJxNR1Flk2t8rdfhlFpjWFkwhKIb80BWAlWoFY5EE
	bLABYZj8CIhfWyc/w7Wz+DKK3Ueb1guzr4ST7xAkGemGsnsjeSEoId7dy3/bo8B0
	gTAQ/QRlQ2uy+shdmz9cnHv2m4EXOZM7hDhiHl3fraLCZW8Hnm9RMgmPUybaj0Wp
	yo=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-7.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,GIT_PATCH_2,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.1 spammy=
X-HELO: mout.gmx.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;	s=badeba3b8450; t=1566324124;	bh=Zk89FTPKvLCpaacPyNtMaKlVFGpyyWuEpN9zh8bqvyA=;	h=X-UI-Sender-Class:To:From:Subject:Date;	b=A9gyPHYgN0lQOywTJP8OjLo5I7PRskO1DVPeNF57AZGGkW66BvWWhkPpxpD9cYVEg	 So+quU7OAM/wyMPEvQ4IZyWuVFKqlpNiRoKc4PfHFqfhSVyMKw1YvuOjElmj1GypYV	 AvJheBpN91nfrNYX9k4YC3HMoE5VPJYWaoxFuh6c=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
To: cygwin AT cygwin DOT com
From: Matthias Andree <matthias DOT andree AT gmx DOT de>
Openpgp: preference=signencrypt
Subject: HEADS UP package "fetchmail" vulnerable and 6.4.0 release candidate out
Message-ID: <18a325b3-0934-0e7f-aa6b-45828ae03ce7@gmx.de>
Date: Tue, 20 Aug 2019 19:49:18 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id x7KI2ijL001227


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna, and everyone else who is interested,

checking <https://cygwin.com/packages/summary/fetchmail.html>,
I see that Cygwin packages a very old fetchmail version that has unfixed
security vulnerabilities and unfixed critical (data loss) bugs.

Constructively moving forward, please:

1. I am about to release 6.4.0 in a few weeks' time with a few important
SSL/TLS/OpenSSL updates that permit newer OpenSSL versions, require
OpenSSL v1.0.2, and practically permit TLS v1.3 if linked against a
sufficiently new OpenSSL.
We're shy of 200 commits since the last formal release 6.3.26, and 276
changes past 6.3.21, the younger x86 (32bit) package for Cygwin.
High-level details in the NEWS file linked below. Care was taken to not
break the interfaces too hard, but in the sense of security, I carefully
changed --sslproto semantics and flipped the switch

2. Note that fetchmail has seen several SECURITY and CRITICAL bug fixes
since 6.3.21/6.3.22.
Review <https://gitlab.com/fetchmail/fetchmail/blob/legacy_64/NEWS> for
details, and look for these two capitalized words.

3. Please try to package 6.4.0.rc2 for x86 and x86_64 against Cygwin's
libssl1.1, and see if you find any portability issues that would require
fixing before 6.4.0. Deadline end of August 2019, and unless really
needed for non-trivial code changes, rc2 is also the planned final
candidate.

Source tarballs and detached ASCII-armored GnuPG signatures at
<https://sourceforge.net/projects/fetchmail/files/branch_6.4/>.

Thanks for your consideration.

Regards,
Matthias Andree - upstream fetchmail maintainer

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAl1cMpoACgkQ5BKxVu/z
hVrMORAAtRXCpG6lTsZNdPuu5NDquyWia6sfzptFl7FaNoD8cB2hTsoS7lBgW0VQ
ulL2Y1xYdR4+JCg0i7656ZQhzpVM2qKnect4oFFfo5mx1vkrQYQQMiB3FACPF3zU
OItP7nEngfmL30aDynYkrPH1+P4BY8GyZHML6KnD53jKNu5ZZBijGztV0HYjjAUd
Nhmxm5GdF5uB1V6v4/c8cXDEf2xBdgMwBiU02YPLVI/8zixZR3EXLdNVcggl0Qbm
5+xe4oTw6EqY2VxUm9obs/U17bWm/10afcmm6ioo0xUXSTq5asF+2HD5WipHuhiW
Zm/PPK6SVOwi32M2gzXqb3ZDqtuH9byUKZQw+LGVePsjrU1jU8F84c+5iq35g1RX
TCloJWckBdflXR4Jda6yvlZstm6pd1PnQVXdw5Wl1Nwb+wAvEbV++dIvCbZuRKgI
kEZBUOApyI8J0LMalxCyGAIykY+VLDsFSbcgCDuAFvrjpIyBBcKC2z0x2Y4gpxSS
q4oLhTdjv+WUbVHBwN/NjroMhoNrX7zpFnGQFFjK2zVlSMMR+/aIsUUTX0v6aXZk
WMMRrhtE1wiIgn7fqgxJ5oukz1Cp5qKB8NIIt5g+VgvZPpwuXXiaZ5Hw81wENzaL
VN998lBF3q3K6+VDhmvdXFcilrgW5XnMoPOfTqlDKXYV5G8KY6k=
=v7yh
-----END PGP SIGNATURE-----



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple