Menu
▾
▴
[fetchmail-announce] fetchmail 6.2.5.4 released (security bugfix) (legacy)
|
From: Matthias A. <mat...@gm...> - 2005-11-18 02:49:45
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am announcing the release of fetchmail 6.2.5.4. For the main part, the updated fetchmailconf that fixed CVE-2005-3088 (the password exposure problem) is now part of the tarball, many build problems with 6.2.5 and 6.2.5.2 were fixed and the infamous "timeout" bug with IMAP that only showed with several servers (for instance, older CommuniGate; Debian Bug#314509) was also fixed. CVE-2005-2335 was already fixed in 6.2.5.2, the fix is also part of 6.2.5.4. See below for details. The software is available from: <https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=7976> fetchmail-6.2.5.X is a security fix branch that forked off fetchmail-6.2.5. It does not change for anything but security and the most severe bug fixes. Note that no 6.2.5.X security audits are planned except when a particular bug is reported, and that 6.2.5.X is unsafe to use on some systems, particularly those that lack a *working and secure* snprintf implementation. This 6.2.5.X branch is ONLY intended for packages for systems that cannot move forward to a newer version for stability policies, such as Debian stable. Note that this branch may be discontinued alongside the official 6.3.0 release without further notice. End users and all other systems should therefore use a current fetchmail-6.2.9-rc* release candidate or, if available at that time, 6.3.X or newer release. These are the relevant changes since (and excluding) 6.2.5.2: * SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use umask 077 before opening output file and restore umask later. * Critical fix: fix IMAP timeouts, counting message count down on servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509. * On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found. * Avoid automatically picking up HESIOD implementations that lack hesiod_getmailhost, such as the one in FreeBSD's base system. * Fix makedepend for separated build (where the build is not run from the source directory), but prevent packaging from separated build, it yields bogus results. * Fix resolv.h autodetection. * Add +HESIOD to version printout if appropriate. * Ship pre-built rcfile_l.c for systems that don't have flex. * Also ship pre-built rcfile_y.[ch] for systems that don't have flex, yacc or bison. * Build environment: Update included gettext. Fix --with-included-gettext. Fix parallel build (make -j). Fix "always rebuild fetchmail" syndrome. * Do not link against -ll or -lfl (not needed). Regards, - -- Matthias Andree -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFDfTM3vmGDOQUufZURAtu2AKCyPEETBn+q1vTQBMF3eHCR0UlEhQCdE7Os i1DBvMPM0ry0ufynC+0QjKE= =fUW6 -----END PGP SIGNATURE----- |