Hi Salvatore, On Sat, Nov 8, 2025 at 3:09 PM Salvatore Bonaccorso <[email protected]> wrote: > The time is bit tight now given window is closing this weekend for > uploads for the next trixie point release. I was looking which minor > CVE fixes are open, and noticed that we have CVE-2025-61962 which > might be low enough to still get in, but I would like to have an ack > from Lazslo, otherwise later point release is I guess fine. s/Lazslo/Laszlo/. While you are right, this should be fixed, please note that the mentioned fix is not final. The 6.5.7 release contains a bugfix [1] for this and noted as: "However, to improve compatibility, fetchmail now accepts anything that starts with "334" and disregards the remainder of the line.". See the full commit [2] for this.
> [ Tests ] > None in particular for this issue itself (as I have no setup available > makeing use of it). Lazslo? s/Lazslo/Laszlo/; As you can read from the commit (in file NEWS file), 'AUTH LOGIN' was a draft only, never made it to the IETF RFC. As such, even if it is implemented in a mail server, 'AUTH PLAIN' should precede such authentication. In short, I think such a misbehaving IMAP server might not exist. This issue might be found by a static code analyzer of fetchmail and not by actual usage. > I have uploaded the proposed package to debusine for further testing: > https://debusine.debian.net/debian/developers/work-request/229521/ To be honest, I think a full package update should be done for Trixie at least (probably a release after 6.6.0 as that has a minor glitch). Reason is, even 6.5.x releases will lose support by the end of this year (2025). As I understand it, there was no support removed between 6.4.39 (Trixie) and the current (and long time supported release of) 6.6.0 version. We should get a solid base with the latter instead of backporting specific commits. But let's hear what upstream developer Matthias says on this. Regards, Laszlo/GCS [1] https://gitlab.com/fetchmail/fetchmail/-/blob/6.5.7/NEWS [2] https://gitlab.com/fetchmail/fetchmail/-/commit/3c9e49d70e5d958f10b94fc58b3c5046f87cff7a
