http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG: Version 4.2.0 18 September 2004 -SECURITY: previous versions of getmail contain a security vulnerability. A local attacker with a shell account could exploit a race condition (or a similar symlink attack) to cause getmail to create or overwrite files in a directory of the local user's choosing if the system administrator ran getmail as root and delivered messages to a maildir or mbox file under the control of the attacker, resulting in a local root exploit. Fixed in versions 4.2.0 and 3.2.5. This vulnerability is not exploitable if the administrator does not deliver mail to the maildirs/mbox files of untrusted local users, or if getmail is configured to use an external unprivileged MDA. This vulnerability is not remotely exploitable. Thanks: David Watson. My gratitude to David for his work on finding and analyzing this problem. -Now, on Unix-like systems when run as root, getmail forks a child process and drops privileges before delivering to maildirs or mbox files. getmail will absolutely refuse to deliver to such destinations as root; the uid to switch to must be configured in the getmailrc file. -revert behaviour regarding delivery to non-existent mbox files. Versions 4.0.0 through 4.1.5 would create the mbox file if it did not exist; in versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing to do so. renamed ebuild works. Reproducible: Always Steps to Reproduce:
net-mail please confirm and provide updated ebuild if necessary.
The ebuild for 4.2.0 now in CVS portage.
archs, please mark stable.
My summary wasn't as precise as i could be: "Fixed in versions 4.2.0 and 3.2.5." If getmail-3 should remain in the tree then bump to 3.2.5.
We intended to remove getmail-3 from portage as soon as 4.0.2-r2 gets stable. As 4.2.0 will hopefully get marked stable soon, I'll remove -3 after that.
marked 4.20 ppc If i need to mark every version stable from 3.2.5 till there please let me know (rather not but hey :-) ) greetings
Sparc stable.
Stable on x86
Stable on alpha.
stable on amd64
As 4.2.0 is stable on all arches set for it, I'm finally removing all getmail-3 ebuilds.
GLSA 200409-32