This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Do we need a new maintainer for fetchmail?
- From: Matthias Andree <matthias dot andree at gmx dot de>
- To: CygWin-Apps <cygwin-apps at cygwin dot com>
- Cc: Jason Tishler <jason at tishler dot net>
- Date: Tue, 30 Nov 2010 01:30:43 +0100
- Subject: Do we need a new maintainer for fetchmail?
Greetings,
the fetchmail package for Cygwin is at version 6.3.9, released two years ago,
and with known security vulnerabilities and errata:
CVE-2009-2666 - improper TLS cert validation allows MITM attacks to go unnoticed
CVE-2010-1167 - heap overflow in verbose mode
EN-2010-03 - improper SASL/AUTH implementation causes bogus auth failures
And a gazillion of bugfixes since 6.3.9 provided in [1], including critical
fixes for long-standing bugs.
Fetchmail does not currently require Cygwin-specific patches.
I have provided Jason Tishler with up to date packages for the current fetchmail
6.3.18 package (with selected upstream fixes from post-6.3.18 Git) a fortnight
ago, built on Cygwin 1.7.7 32-bit (Win 7), without any response.
I don't mean to take over maintainership, but -- can we do non-maintainer
updates in such situations?
Best regards
Matthias, upstream fetchmail maintainer
[1] <http://gitorious.org/fetchmail/fetchmail/blobs/master/NEWS#line57>
--
Matthias Andree