diff options
| author | schmonz <schmonz@pkgsrc.org> | 2004-10-20 21:55:12 +0000 |
|---|---|---|
| committer | schmonz <schmonz@pkgsrc.org> | 2004-10-20 21:55:12 +0000 |
| commit | eb90c505aba060f77d906178d3eb8a27c836416a (patch) | |
| tree | 943625bf123ef71cb7bde1298c6bac3bce4d2ebf /mail | |
| parent | 2cc7b5cd9fcfb2fbab76a4d2ff20039c99dfa0ba (diff) | |
| download | pkgsrc-eb90c505aba060f77d906178d3eb8a27c836416a.tar.gz | |
Update to 4.2.2. From the changelog:
Version 4.1.5
13 September 2004
-getmail would not delete messages from the server if it was configured not
to retrieve them and the delete_after directive was not in use (i.e. user
normally left messages on server but occasionally wanted to force-delete
them). Fixed. Thanks: Frankye Fattarelli.
Version 4.2.0
18 September 2004
-SECURITY: previous versions of getmail contain a security vulnerability.
A local attacker with a shell account could exploit a race condition (or a
similar symlink attack) to cause getmail to create or overwrite files in a
directory of the local user's choosing if the system administrator ran getmail
as root and delivered messages to a maildir or mbox file under the control of
the attacker, resulting in a local root exploit. Fixed in versions 4.2.0
and 3.2.5.
This vulnerability is not exploitable if the administrator does not deliver
mail to the maildirs/mbox files of untrusted local users, or if getmail is
configured to use an external unprivileged MDA. This vulnerability is
not remotely exploitable.
Thanks: David Watson. My gratitude to David for his work on finding and
analyzing this problem.
-Now, on Unix-like systems when run as root, getmail forks a child
process and drops privileges before delivering to maildirs or mbox files.
getmail will absolutely refuse to deliver to such destinations as root;
the uid to switch to must be configured in the getmailrc file.
-revert behaviour regarding delivery to non-existent mbox files. Versions
4.0.0 through 4.1.5 would create the mbox file if it did not exist; in
versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing
to do so.
Version 4.2.1
8 October 2004
-set message attributes on corrupt container objects to prevent problems
with destinations that expect multidrop-retrieved messages.
Thanks: Harry Wearne.
-move tests for existence of file from mbox destination initialization
to delivery method, and change error from configuration to delivery error.
Thanks: David Watson.
Version 4.2.2
11 October 2004
-in child delivery processes, change real as well as effective uid/gid.
Thanks: David Watson.
-handle corrupted oldmail file better. Thanks: Matthias Andree.
Diffstat (limited to 'mail')
| -rw-r--r-- | mail/getmail/Makefile | 4 | ||||
| -rw-r--r-- | mail/getmail/distinfo | 6 |
2 files changed, 5 insertions, 5 deletions
diff --git a/mail/getmail/Makefile b/mail/getmail/Makefile index 447505afb06..3312a7efa04 100644 --- a/mail/getmail/Makefile +++ b/mail/getmail/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.32 2004/09/02 02:35:58 schmonz Exp $ +# $NetBSD: Makefile,v 1.33 2004/10/20 21:55:12 schmonz Exp $ -DISTNAME= getmail-4.1.4 +DISTNAME= getmail-4.2.2 CATEGORIES= mail MASTER_SITES= ${HOMEPAGE}old-versions/ diff --git a/mail/getmail/distinfo b/mail/getmail/distinfo index 9665a6b69d1..c1f18e1f800 100644 --- a/mail/getmail/distinfo +++ b/mail/getmail/distinfo @@ -1,5 +1,5 @@ -$NetBSD: distinfo,v 1.25 2004/09/02 02:35:58 schmonz Exp $ +$NetBSD: distinfo,v 1.26 2004/10/20 21:55:12 schmonz Exp $ -SHA1 (getmail-4.1.4.tar.gz) = cee70895e22bcec75ea0588744cd46b381d494ec -Size (getmail-4.1.4.tar.gz) = 118943 bytes +SHA1 (getmail-4.2.2.tar.gz) = e2f9c080bfefae2b2deb65c6ac11e6dfb0c08cc2 +Size (getmail-4.2.2.tar.gz) = 121093 bytes SHA1 (patch-aa) = 63bb1a6427f5b129200e7fa4bdd34267d427a2a7 |