Hello community, here is the log from the commit of package mailutils for openSUSE:Factory checked in at 2019-11-15 22:33:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mailutils (Old) and /work/SRC/openSUSE:Factory/.mailutils.new.26869 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mailutils" Fri Nov 15 22:33:13 2019 rev:6 rq:747751 version:3.8 Changes: -------- --- /work/SRC/openSUSE:Factory/mailutils/mailutils.changes 2019-11-03 11:37:18.181851971 +0100 +++ /work/SRC/openSUSE:Factory/.mailutils.new.26869/mailutils.changes 2019-11-15 22:33:13.932048154 +0100 @@ -1,0 +2,27 @@ +Tue Nov 12 08:34:36 UTC 2019 - Dr. Werner Fink <wer...@suse.de> + +- Update to mailutils 3.8 + * The maidag utility is withdrawn (CVE-2019-18862, bsc#1156495) + The main purpose of this utility was to work as local mail delivery + agent (MDA), a program responsible for final delivery of email messages + to the recipient's mailbox. As such it required suid privileges. + In parallel with its main purpose, it also was able to work in two + other modes: the 'url' mode, designed to deliver mails to arbitrary + mailbox URLs, and 'lmtp' mode, in which it acted as local mail + transport daemon. Neither of these needed suid privileges. + The unfortunate design decision to combine the three modes in a single + versatile tool resulted in local privilege escalation threat in 'url' + mode. + To fix this, maidag has been replaced by three different utilities, + each one with a precisely defined purpose and carefully designed + privileges: mda, lmtpd, and putmail. + * mda + * lmtpd + * putmail + * Use of TLS in pop3d run from inetd + * comsatd --test + * mail + ** fix the semantics of 'hold' and 'keepsave' variables + ** New message type specification ":s" + +------------------------------------------------------------------- Old: ---- mailutils-3.7.tar.xz New: ---- mailutils-3.8.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mailutils.spec ++++++ --- /var/tmp/diff_new_pack.Bsw3oD/_old 2019-11-15 22:33:14.664047833 +0100 +++ /var/tmp/diff_new_pack.Bsw3oD/_new 2019-11-15 22:33:14.672047830 +0100 @@ -24,12 +24,12 @@ %define somajor 5 Name: mailutils -Version: 3.7 +Version: 3.8 Release: 0 Summary: GNU Mailutils License: LGPL-3.0-or-later AND GPL-3.0-or-later Group: Productivity/Networking/Email/Clients -Url: https://mailutils.org/ +URL: https://mailutils.org/ Source: ftp://ftp.gnu.org/gnu/mailutils/%{name}-%{version}.tar.xz Source1: %{name}-3.5-guile-2.0.tar.xz Source2: %{name}-rpmlintrc @@ -242,7 +242,7 @@ --disable-rpath \ %if %{without set_user_identity} --disable-build-dotlock \ - --disable-build-maidag \ + --disable-build-mda \ %endif %if 0 --disable-silent-rules \ @@ -413,7 +413,9 @@ %if %{with set_user_identity} %files delivery %defattr(-,root,root) -%attr(04755,root,root) %verify(not mode) %{_sbindir}/maidag +%{_sbindir}/lmtpd +%attr(04755,root,root) %verify(not mode) %{_sbindir}/mda +%{_bindir}/putmail %endif %files notify ++++++ lisp-load-silent.patch ++++++ --- /var/tmp/diff_new_pack.Bsw3oD/_old 2019-11-15 22:33:14.708047813 +0100 +++ /var/tmp/diff_new_pack.Bsw3oD/_new 2019-11-15 22:33:14.712047812 +0100 @@ -4,7 +4,7 @@ --- mh/etc/mailutils-mh.eli +++ mh/etc/mailutils-mh.eli 2018-05-30 10:14:00.665396617 +0000 -@@ -19,7 +19,7 @@ +@@ -18,7 +18,7 @@ (setq mh-progs "BINDIR") (setq mh-lib "MHLIBDIR") (setq mh-lib-progs mh-progs) ++++++ mailutils-3.5-guile-2.0.patch ++++++ --- /var/tmp/diff_new_pack.Bsw3oD/_old 2019-11-15 22:33:14.724047807 +0100 +++ /var/tmp/diff_new_pack.Bsw3oD/_new 2019-11-15 22:33:14.736047802 +0100 @@ -4,7 +4,7 @@ --- configure.ac +++ configure.ac 2018-11-21 10:04:03.759560432 +0000 -@@ -1148,7 +1148,7 @@ AC_SUBST([GUILE_BINDIR]) +@@ -1178,7 +1178,7 @@ AC_SUBST([GUILE_BINDIR]) AC_SUBST([LIBMU_SCM]) AC_SUBST([LIBMU_SCM_DEPS]) AC_SUBST([MU_GUILE_SIEVE_MOD_DIR]) @@ -13,7 +13,7 @@ [useguile=yes AC_DEFINE([WITH_GUILE],1,[Enable Guile support]) GUILE_BINDIR=`guile-config info bindir` -@@ -1345,7 +1345,6 @@ MU_CONFIG_TESTSUITE(mh) +@@ -1375,7 +1375,6 @@ MU_CONFIG_TESTSUITE(mh) MU_CONFIG_TESTSUITE(comsat) MU_CONFIG_TESTSUITE(imap4d) MU_CONFIG_TESTSUITE(mimeview) ++++++ mailutils-3.7.tar.xz -> mailutils-3.8.tar.xz ++++++ ++++ 126755 lines of diff (skipped) ++++++ silent-rpmlint-with_initgroups.patch ++++++ --- /var/tmp/diff_new_pack.Bsw3oD/_old 2019-11-15 22:33:16.196047161 +0100 +++ /var/tmp/diff_new_pack.Bsw3oD/_new 2019-11-15 22:33:16.200047159 +0100 @@ -6,7 +6,7 @@ --- comsat/comsat.c +++ comsat/comsat.c 2018-06-07 08:51:30.882263156 +0000 -@@ -516,6 +516,7 @@ change_user (const char *user) +@@ -535,6 +535,7 @@ change_user (const char *user) return 1; } @@ -16,7 +16,7 @@ chdir (pw->pw_dir); --- comsat/comsat.h +++ comsat/comsat.h 2018-06-07 09:57:24.467620564 +0000 -@@ -36,6 +36,7 @@ +@@ -35,6 +35,7 @@ #include <syslog.h> #include <string.h> #include <pwd.h> @@ -26,7 +26,7 @@ --- pop3d/user.c +++ pop3d/user.c 2018-06-07 08:56:38.448784813 +0000 -@@ -38,8 +38,10 @@ pop3d_begin_session () +@@ -37,8 +37,10 @@ pop3d_begin_session () return ERR_LOGIN_DELAY; }