This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Do we need a new maintainer for fetchmail?


Greetings,

the fetchmail package for Cygwin is at version 6.3.9, released two years ago,
and with known security vulnerabilities and errata:

CVE-2009-2666 - improper TLS cert validation allows MITM attacks to go unnoticed
CVE-2010-1167 - heap overflow in verbose mode
EN-2010-03    - improper SASL/AUTH implementation causes bogus auth failures

And a gazillion of bugfixes since 6.3.9 provided in [1], including critical
fixes for long-standing bugs.

Fetchmail does not currently require Cygwin-specific patches.

I have provided Jason Tishler with up to date packages for the current fetchmail
6.3.18 package (with selected upstream fixes from post-6.3.18 Git) a fortnight
ago, built on Cygwin 1.7.7 32-bit (Win 7), without any response.

I don't mean to take over maintainership, but -- can we do non-maintainer
updates in such situations?

Best regards
Matthias, upstream fetchmail maintainer


[1] <http://gitorious.org/fetchmail/fetchmail/blobs/master/NEWS#line57>

-- 
Matthias Andree


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]