Hello, This is to inform you that GNU mailutils version 3.8 is available for download. This stable release fixes an important security flaw and introduces several new features. Please see the end of this message for details.
Here are the compressed sources: https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.gz (6.5MB) https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.bz2 (4.4MB) https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.xz (2.9MB) Here are the GPG detached signatures[*]: https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.gz.sig https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.bz2.sig https://ftp.gnu.org/gnu/mailutils/mailutils-3.8.tar.xz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the MD5 and SHA1 checksums: 8329ccc1ffd59721c7fd2c376c0ff9e7 mailutils-3.8.tar.gz f5415d18bca06eaff82e6c225810999a mailutils-3.8.tar.bz2 283f803ea2057d50ecabf9fd8de9b776 mailutils-3.8.tar.xz f650fa52721b32fe2f7b2cbc4a479aa793880c4a mailutils-3.8.tar.gz 2b751b7dc831f7b28162656f83ed815cafba936a mailutils-3.8.tar.bz2 5ef6f6c58b95c24acf1181c53586ff1f09de25c0 mailutils-3.8.tar.xz [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify mailutils-3.8.tar.gz.sig If that command fails because you don't have the required public key, then run this command to import it: gpg --keyserver keys.gnupg.net --recv-keys 3602B07F55D0C732 and rerun the 'gpg --verify' command. Important changes in this release: * The maidag utility is withdrawn The main purpose of this utility was to work as local mail delivery agent (MDA), a program responsible for final delivery of email messages to the recipient's mailbox. As such it required suid privileges. In parallel with its main purpose, it also was able to work in two other modes: the 'url' mode, designed to deliver mails to arbitrary mailbox URLs, and 'lmtp' mode, in which it acted as local mail transport daemon. Neither of these needed suid privileges. The unfortunate design decision to combine the three modes in a single versatile tool resulted in local privilege escalation threat in 'url' mode. To fix this, maidag has been replaced by three different utilities, each one with a precisely defined purpose and carefully designed privileges: mda, lmtpd, and putmail. * mda GNU Mail Delivery Agent, the program used by mail transport agent for local mail delivery. MTA starts it with non-root privileges, so it needs the setuid bit in order to be able to assume the recipient's identity when delivering mail. User input is limited to the actual message, which is read from the standard input. The usual flexible mailutils configuration subsystem is disabled in this utility, all settings being read from the main configuration file only. This file is writable only for root. Configuration settings cannot be altered from the command line. The command line usage is mostly compatible with the maidag, which facilitates transition to mda. * lmtpd GNU Local Mail Transfer Protocol daemon. Normally it is started by root and remains in the background serving LMTP connections from the MTA. * putmail A user tool for delivering messages to the specified mailbox URL. Runs with user privileges. This provides the functionality of 'maidag --url', without any security implications. * Use of TLS in pop3d run from inetd New global configuration statement "tls-mode" configures the TLS for use in inetd mode. The certificate and key files are configured by the global "tls" compound statement. Example configuration (pop3s server): mode inetd; tls-mode connection; tls { ssl-key-file /etc/ssl/key.pem; ssl-certificate-file /etc/ssl/cert.pem; } * comsatd --test The --test option takes optional argument: name of the tty or file to use for reporting. * mail ** fix the semantics of 'hold' and 'keepsave' variables ** New message type specification ":s" Selects messages in state 'saved'. Best regards, Sergey -- If you have a working or partly working program that you'd like to offer to the GNU project as a GNU package, see https://www.gnu.org/help/evaluation.html.