Hi László, On Sat, Nov 08, 2025 at 05:40:10PM +0100, László Böszörményi (GCS) wrote: > Hi Salvatore, > > On Sat, Nov 8, 2025 at 3:09 PM Salvatore Bonaccorso <[email protected]> wrote: > > The time is bit tight now given window is closing this weekend for > > uploads for the next trixie point release. I was looking which minor > > CVE fixes are open, and noticed that we have CVE-2025-61962 which > > might be low enough to still get in, but I would like to have an ack > > from Lazslo, otherwise later point release is I guess fine. > s/Lazslo/Laszlo/.
Sorry for the typo. I know you know I know your name, and apologies for the mistake hapened while typing, twice (I do often swap some letters, but proof reading would help). > While you are right, this should be fixed, please > note that the mentioned fix is not final. The 6.5.7 release contains a > bugfix [1] for this and noted as: "However, to improve compatibility, > fetchmail now accepts anything that starts with "334" and disregards > the remainder of the line.". See the full commit [2] for this. Thanks for pointing that out. That were exactly the things why I did want to hear feedback if the proposed update make sense. So for now I retract the proposed update. > > [ Tests ] > > None in particular for this issue itself (as I have no setup available > > makeing use of it). Lazslo? > s/Lazslo/Laszlo/; As you can read from the commit (in file NEWS > file), 'AUTH LOGIN' was a draft only, never made it to the IETF RFC. > As such, even if it is implemented in a mail server, 'AUTH PLAIN' > should precede such authentication. In short, I think such a > misbehaving IMAP server might not exist. This issue might be found by > a static code analyzer of fetchmail and not by actual usage. > > > I have uploaded the proposed package to debusine for further testing: > > https://debusine.debian.net/debian/developers/work-request/229521/ > To be honest, I think a full package update should be done for Trixie > at least (probably a release after 6.6.0 as that has a minor glitch). > Reason is, even 6.5.x releases will lose support by the end of this > year (2025). Ok understood, we need to hear as well hear from SRM how they feel about such an update. I think what will be needed here is at least a (filtered) debdiff, along to illustrate the confidence on the rebase. > As I understand it, there was no support removed between 6.4.39 > (Trixie) and the current (and long time supported release of) 6.6.0 > version. We should get a solid base with the latter instead of > backporting specific commits. But let's hear what upstream developer > Matthias says on this. Ok, let's wait as well for input from Matthias. Regards, Salvatore
