-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
I am announcing the release of fetchmail 6.2.5.4. For the main part, the
updated fetchmailconf that fixed CVE-2005-3088 (the password exposure
problem) is now part of the tarball, many build problems with 6.2.5 and
6.2.5.2 were fixed and the infamous "timeout" bug with IMAP that only
showed with several servers (for instance, older CommuniGate; Debian
Bug#314509) was also fixed. CVE-2005-2335 was already fixed in 6.2.5.2,
the fix is also part of 6.2.5.4. See below for details.
The software is available from:
<https://developer.berlios.de/project/showfiles.php?group_id=1824&release_id=7976>
fetchmail-6.2.5.X is a security fix branch that forked off
fetchmail-6.2.5. It does not change for anything but security and the
most severe bug fixes. Note that no 6.2.5.X security audits are planned
except when a particular bug is reported, and that 6.2.5.X is unsafe to
use on some systems, particularly those that lack a *working and secure*
snprintf implementation.
This 6.2.5.X branch is ONLY intended for packages for systems that
cannot move forward to a newer version for stability policies, such as
Debian stable. Note that this branch may be discontinued alongside the
official 6.3.0 release without further notice.
End users and all other systems should therefore use a current
fetchmail-6.2.9-rc* release candidate or, if available at that time,
6.3.X or newer release.
These are the relevant changes since (and excluding) 6.2.5.2:
* SECURITY FIX CVE-2005-3088: fetchmailconf: fix password exposure: use
umask 077 before opening output file and restore umask later.
* Critical fix: fix IMAP timeouts, counting message count down on
servers that do not send EXISTS counts after EXPUNGE. Debian Bug#314509.
* On FreeBSD, add /usr/local/include to CPPFLAGS so that libintl.h is found.
* Avoid automatically picking up HESIOD implementations that lack
hesiod_getmailhost, such as the one in FreeBSD's base system.
* Fix makedepend for separated build (where the build is not run from
the source directory), but prevent packaging from separated build, it
yields bogus results.
* Fix resolv.h autodetection.
* Add +HESIOD to version printout if appropriate.
* Ship pre-built rcfile_l.c for systems that don't have flex.
* Also ship pre-built rcfile_y.[ch] for systems that don't have flex,
yacc or bison.
* Build environment: Update included gettext. Fix
--with-included-gettext. Fix parallel build (make -j). Fix "always
rebuild fetchmail" syndrome.
* Do not link against -ll or -lfl (not needed).
Regards,
- --
Matthias Andree
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFDfTM3vmGDOQUufZURAtu2AKCyPEETBn+q1vTQBMF3eHCR0UlEhQCdE7Os
i1DBvMPM0ry0ufynC+0QjKE=
=fUW6
-----END PGP SIGNATURE-----
_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends