114732 2005-12-07 04:20 0000 net-mail/fetchmail-6.3.0 is out, and new homepage 2005-12-10 04:41:33 0000 1 1 1 Unclassified Gentoo Linux Ebuilds unspecified All Linux RESOLVED FIXED http://fetchmail.berlios.de/ P2 normal --- 1 dsd@gentoo.org net-mail@gentoo.org dsd@gentoo.org 2005-12-07 04:20:51 0000 On 2005-11-30, fetchmail-6.3.0 was released, collecting bug fixes, documentation, portability and IPv6 improvements from the preceding 777 days since fetchmail-6.2.5's release in October 2003. CVE-2005-2335: Fetchmail was found to contain a remotely exploitable vulnerability in the POP3 code, affecting both the 6.2.0 and 6.2.5 releases. 6.2.5.2, 6.2.5.4 and 6.3.0 have got this bug fixed. (Other versions have not been checked if they contain this bug.) CVE-2005-3088: Fetchmailconf was found to open the configuration files world-readable, writing data to them, and only then tightening up permissions, which may cause password information to be visible to other users. This bug affected fetchmail 6.2.0, 6.2.5 and 6.2.5.2. The bug is fixed in fetchmail 6.2.5.4 and 6.3.0. Please update to fetchmail version 6.3.0, or, if your local updating policy does not permit so, to 6.2.5.4 which can be obtained from the download directory. The old homepage (http://www.catb.org/~esr/fetchmail/) is now unmaintained, as are the old mailing lists, due to lack of admin access. The new homepage is at http://fetchmail.berlios.de/ so the new ebuild should reflect this. ticho@gentoo.org 2005-12-10 04:41:33 0000 6.3.0 in portage. We have now finally gotten rid of old tarball from catb.org and few deprecated patches. I've had this on my TODO for quite some time, but now that minor version number changed, it's a nice opportunity to do so. Both mentioned security vulnerabilities have already been addressed in our ebuilds - CVE-2005-2335 in 6.2.5.2 (bug #99865) and CVE-2005-3088 in 6.2.5.2-r1 (bug #110366), so there's probably no need to call in security. Closing.