On Nov 30 01:30, Matthias Andree wrote: > Greetings, > > the fetchmail package for Cygwin is at version 6.3.9, released two years ago, > and with known security vulnerabilities and errata: > > CVE-2009-2666 - improper TLS cert validation allows MITM attacks to go > unnoticed > CVE-2010-1167 - heap overflow in verbose mode > EN-2010-03 - improper SASL/AUTH implementation causes bogus auth failures > > And a gazillion of bugfixes since 6.3.9 provided in [1], including critical > fixes for long-standing bugs. > > Fetchmail does not currently require Cygwin-specific patches.
Cool! > I have provided Jason Tishler with up to date packages for the current > fetchmail > 6.3.18 package (with selected upstream fixes from post-6.3.18 Git) a fortnight > ago, built on Cygwin 1.7.7 32-bit (Win 7), without any response. Well, that could mean he just has very limited time right now or he's on vacation. > I don't mean to take over maintainership, but -- can we do non-maintainer > updates in such situations? Thanks for the offer, but we don't do that, usually. I understand that, as an upstream maintainer, you're keen to see a more up-to-date and more bug-free version of fetchmail in the distro. However, unless the maintainer steps down officially, and unless another person volunteers to take over maintainership of a package, we don't take new versions of a package. While we have a couple of currently unmaintained/orphaned packages, in general we only really like packages which have a distro maintainer. So, first I'd really like to get a word from you, Jason. If Jason is AWOL for a longer period of time (which I doubt, since he was still active on the cygwin list early November), then we can talk about taking over maintainership, if that's an option for you. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat
