Re: Security advisory: uw-imap - 3 attachments
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to Christian Weinberger on 10/14/2005 12:26 AM: I could not post to the cygwin applications list via gmane, so I reply to the main list. Apologies if this not the way it should be done. I don't know why cygwin-apps is registered as a one-way only list on gmane, but I have also found it is annoying that you can't post there through gmane. It would take permission from the list owner for gmane to change the policy on their mirroring of the list (at least gmane still respects the subscriber-only posting rules). However, gmane also has the annoying property of not allowing file attachments, so you really should be using a proper email client and not gmane when trying to send attachments. As for you comments about cygwin applications, they really do belong on cygwin-apps; I've changed the reply-to accordingly. Also, attachments are better received if they are MIME attachments, not uuencoded inline; and with a text MIME type if they really are text based (the number of mail clients out there that blindly assume every attachment should be marked application/octet-stream is unfortunate). I´d be glad to assist the maintainer in building a 2004g package for cygwin. There has been no response from the uw-imap maintainer, at least per http://sources.redhat.com/ml/cygwin-apps/2005-10/msg00111.html. If you are volunteering to maintain it, you will need to respond directly on the cygwin-apps list. - -- Life is short - so eat dessert first! Eric Blake [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDT7Px84KuGfSFAYARAsZZAKCQv5IVM86s4JG4E/hy31UqsnLc0gCbBjvV AaOfRhh14DlGRrgHIOR6XYs= =FgOe -END PGP SIGNATURE-
Re: Security advisory: uw-imap - 3 attachments
On Fri, Oct 14, 2005 at 07:34:41AM -0600, Eric Blake wrote: According to Christian Weinberger on 10/14/2005 12:26 AM: I could not post to the cygwin applications list via gmane, so I reply to the main list. Apologies if this not the way it should be done. I don't know why cygwin-apps is registered as a one-way only list on gmane, but I have also found it is annoying that you can't post there through gmane. cygwin-apps is a... wait for it... mailing list. It is a *moderated* mailing list. It is moderated for a reason. Having it moderated for email and not moderated for anyone who figured out how to use gmane has already been shown to be a bad idea. I don't want a back door method for people to send their bug reports and package requests to this list. cgf
Re: Security advisory: uw-imap - 3 attachments
cygwin-apps is a... wait for it... mailing list. It is a *moderated* mailing list. It is moderated for a reason. Having it moderated for email and not moderated for anyone who figured out how to use gmane has already been shown to be a bad idea. I don't want a back door method for people to send their bug reports and package requests to this list. But so is cygwin-patches, and gmane *can* post to cygwin-patches! gmane requires a legitimate email address before posting, and therefore gmane will not allow an unsubscribe user to post to a moderated list. The difference is whether gmane is set up as a one-way list (as is cygwin-apps) or a moderated list (as is cygwin-patches). All I was asking is that gmane be told that cygwin-apps can be treated like cygwin-patches, instead of a one-way list. But I can also live with the status quo, there is no need to do this just because I asked if you don't want to. -- Eric Blake
Re: Security advisory: uw-imap - 3 attachments
On Fri, Oct 14, 2005 at 03:32:44PM +, Eric Blake wrote: cgf wrote: cygwin-apps is a... wait for it... mailing list. It is a *moderated* mailing list. It is moderated for a reason. Having it moderated for email and not moderated for anyone who figured out how to use gmane has already been shown to be a bad idea. I don't want a back door method for people to send their bug reports and package requests to this list. But so is cygwin-patches, and gmane *can* post to cygwin-patches! 1) I didn't know that. 2) cygwin-patches hasn't (yet) been abused by people who send off-topic email. If it is abused, then I'll request similar blocking from gmane. gmane requires a legitimate email address before posting, and therefore gmane will not allow an unsubscribe user to post to a moderated list. A person who registered via gmane to read gmane.comp.accessibility.vision does not automatically qualify as a person who should be able to send email to cygwin-apps. The difference is whether gmane is set up as a one-way list (as is cygwin-apps) or a moderated list (as is cygwin-patches). All I was asking is that gmane be told that cygwin-apps can be treated like cygwin-patches, instead of a one-way list. But I can also live with the status quo, there is no need to do this just because I asked if you don't want to. I requested the one-way aspect of this gmane forum and would have taken more draconian steps on sourceware.org if this option wasn't available. cgf
Re: Security advisory: uw-imap - 3 attachments
uw-imap (whose maintainer, AFAICS, has yet to respond to reply to
Corinna's message) is vulnerable to remote overflow of a buffer in the
IMAP server leading to execution of arbitrary code.
The only solution is to upgrade to 2004g (current Cygwin release is
2002e!).
I built 2004g and it nearly builds ootb.
The only patch necessary is for CRAM-MD5 auth. This patch is well known
and has been used for the 2002e version also. All other patches that
have been necessary for 2002e have already been integrated in the 2004g
release.
I could not post to the cygwin applications list via gmane, so I reply
to the main list. Apologies if this not the way it should be done.
I´d be glad to assist the maintainer in building a 2004g package for
cygwin.
I´m facing two minor issues:
- the first is described here in detail:
http://www.cygwin.com/ml/cygwin/2004-11/msg01137.html
it has always been there for me (even with the 2002e package), so I
don´t think it is a new problem
- second, when I use dmail from .procmailrc, it causes a stackdump
at the end of the delivery process. But all logs are written fine and
all mail gets delivered, so it is more a cosmetic thing (IMHO)
Attached you find 3 patches:
1) imap-2004c1.cram-md5-auth.patch
It is necessary for cram-md5 to work.
2) imap-2004c1.mbx-by-default.patch (optional)
Local mailboxes are created in MBX format by default, which allows
simultanous rw access by multiple sessions. New mail has to be spooled
to a mbox format mailbox in /var/spool/mail/user, but is transfered to
~/Mail/INBOX by UW-IMAP immediately.
3) imap-2004c1.mailsubdir-Mail.patch (optional)
Mail is stored in the users ~/Mail folder.
The last two patches make uw-imap behave more compliant to modern UNIX
standards and more capable. These are not real patches, but
configuration options for uw-imap. If you migrate from an older version
of uw-imap that has been configured differently, you have to move the
mailbox files to the new folder localtions.
Regards,
Christian
begin 644 imap-2004c1.mbx-by-default.patch
M9EF9B`M875R(EM87`M,C`P-,Q+G9A;FEL;$OW)C+V]S95P+W5N:[EMAIL PROTECTED]
M36%K969I;4@:6UATR,#`T8S$OW)C+V]S95P+W5N:[EMAIL PROTECTED];4-
MBTM+2!I;6%P+3(P,#1C,2YV86YI;QA+W-R8R]OV1E]U;FEX+TUA:V5F
M:6QE3(P,#0M,3$M,#4@,C,Z,S(Z,C8N,#`P,#`P,#`P(LP,3`P#0HK*RL@
M:6UATR,#`T8S$OW)C+V]S95P+W5N:[EMAIL PROTECTED];4),C`P-2TP,RTQ
M,`Q,#HU.3HP.XP,#`P,#`P,[EMAIL PROTECTED],#`-D!`(TW,BPQ,2`K-S(L,3$@
M0$`-B!324=465!%/6)S9`T*($-26%194$4][EMAIL PROTECTED],13TO
M=7-R+VQI8B]N97=S+V%C=EV90T*+5-03T],1$E2/2]UW(OW!O;VP-BM3
M4$]/3$1)4CTO=F%R+W-P;[EMAIL PROTECTED])3%-03T],/20H4U!/3TQ$25(I+VUA
M:6P-B!.15=34U!/3TP])A34$]/3$1)4BDO;F5WPT*(%)[EMAIL PROTECTED]
MB]U8V(OG-H#0HM3$]#2U!'33TO971C+VUL;V-K#0HK3$]#2U!'33TO=7-R
M+V)I;B]M;]C:PT*(`T*(`T*(,@15F875L=!F;W)M871S(9OB!CF5A
M=EN9R!N97@;6%I;)O5S(%N9!F;W(@96UP='D@;6%I;)O5S(EN
M('[EMAIL PROTECTED]@*SDR+#@0$`-B`C('-E=!C97)T86EN(]T:5R
M(9OFUA=',@*4N9RX@;6)X(%N9!M[EMAIL PROTECTED],@=AE($5-4%194%)/5$\@
M[EMAIL PROTECTED]AEV4-B`C(9OFUA=',@8V%N(YE=F5R()E(5M'1Y(9I
M;[EMAIL PROTECTED](`T*+4-214%415!23U1//75N:7APF]T;PT**T-214%415!23U1/
M/6UB'!R;[EMAIL PROTECTED];FEX')O=\-B`-B`-D!`(TR
M-#L-R`K,C0W+#@0$`-B`))A54E,1[EMAIL PROTECTED]0H0T%4*2!34$5#24%,4V`@
M3U,])[EMAIL PROTECTED](`E$149!54Q41%))5D524STB:6UA!N;G1P('!O#,@;6)X
M('5N:7@@AI;4B(%P-B`)4TE'5%E013UPW@@0TA%0TM05SUC6@3$]'
M24Y05SUC6@0U)85%E013US=[EMAIL PROTECTED]/3$1)4CTO=F%R(%P-BL)
M4U!/3TQ$25(]+W9AB]S]O;!#0H@4%#5$E6149)3$4]+W5SB]L;V-A
M;[EMAIL PROTECTED](`E24TA0051(/2]UW(O8FEN+W)S:!
:#0H@4)!4T5#1DQ!1U,](BUG(U/(B!#0H!
`
end
begin 644 imap-2004c1.cram-md5-auth.patch
M9EF9B`M875R(EM87`M,C`P-,Q+G9A;FEL;$OW)C+V]S95P+W5N:[EMAIL PROTECTED]
M;]G7V-Y9RYC(EM87`M,C`P-,Q+W-R8R]OV1E]U;FEX+VQO9U]C6N
M8PHM+2T@:6UATR,#`T8S$N=F%N:6QL82]SF,O;W-D97`O=6YI]L;V=?
M8WEG+F,),C`P,RTP-TR-B`P,CHS-SHU,RXP,#`P,#`P,[EMAIL PROTECTED],#`**RLK
M(EM87`M,C`P-,Q+W-R8R]OV1E]U;FEX+VQO9U]C6N8PDR,#`U+3`S
M+3$P(#$P.C4T.C$S+C`P,#`P,#`P,`K,#$P,`I`0`M,[EMAIL PROTECTED],[EMAIL
PROTECTED](X+#(Q
M($!`B!L;VYG(QO9VEN'@*'-TG5C=[EMAIL PROTECTED]EN=!AF=C
M+-H87(@*F%R9W9;72D*('L*([EMAIL PROTECTED]@=6ED(#T@'M/G!W7W5I9#L*
M+0D)0DO*B!M=7-T()E('-A;[EMAIL PROTECTED]B!N86UE(%S(QA[EMAIL PROTECTED]
[EMAIL PROTECTED](HOBT@(EF(@A*-Y9U]UV5R(8F(%S=')C;[EMAIL
PROTECTED]'!W+3YP=U]N
M86UE+-Y9U]UV5R*2DI(')E='5R;B!.24P[BT)0D)[EMAIL PROTECTED][EMAIL
PROTECTED]AE($EM
M5RV]N871E3]G9V5D3VY5V5R*[EMAIL PROTECTED]@8WEG=VEN7W-E=%]I;7!E
MG-O;F%T:6]N7W1O:V5N(AC6=?:1L*3L**PHK(`O*B!T:[EMAIL PROTECTED])!32U-
[EMAIL PROTECTED];]W(1O97-N)[EMAIL PROTECTED];!C:5C:W!W*[EMAIL
PROTECTED]@:68@
M*%U=A?;60U+G-EG9EBD**R`@PHK(`@(EF(AC6=?=7-E[EMAIL PROTECTED]
M9VEV92`H*'9O:[EMAIL PROTECTED](9C6=?=7-EBD[BL@([EMAIL PROTECTED](@/2!C
M'ES='(H'M/G!W7VYA;64I.PHK(!]BL@(5LV4**R`@PHK(`@(`@
M(`@(`@(`@(`@(`@(`@(`@(`@(`O*B!M=7-T()E('-A;[EMAIL PROTECTED]
MB!N86UE(%S(QA[EMAIL PROTECTED]@I(HOBL@(`@:[EMAIL PROTECTED]$H8WEG7W5S
M97(@)B8@(7-TF-M`H'M/G!W7VYA;64L8WEG7W5S97(I*2D@F5T=7)N
Re: Security advisory: uw-imap - 3 attachments
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to Christian Weinberger on 10/14/2005 12:26 AM: I could not post to the cygwin applications list via gmane, so I reply to the main list. Apologies if this not the way it should be done. I don't know why cygwin-apps is registered as a one-way only list on gmane, but I have also found it is annoying that you can't post there through gmane. It would take permission from the list owner for gmane to change the policy on their mirroring of the list (at least gmane still respects the subscriber-only posting rules). However, gmane also has the annoying property of not allowing file attachments, so you really should be using a proper email client and not gmane when trying to send attachments. As for you comments about cygwin applications, they really do belong on cygwin-apps; I've changed the reply-to accordingly. Also, attachments are better received if they are MIME attachments, not uuencoded inline; and with a text MIME type if they really are text based (the number of mail clients out there that blindly assume every attachment should be marked application/octet-stream is unfortunate). I´d be glad to assist the maintainer in building a 2004g package for cygwin. There has been no response from the uw-imap maintainer, at least per http://sources.redhat.com/ml/cygwin-apps/2005-10/msg00111.html. If you are volunteering to maintain it, you will need to respond directly on the cygwin-apps list. - -- Life is short - so eat dessert first! Eric Blake [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDT7Px84KuGfSFAYARAsZZAKCQv5IVM86s4JG4E/hy31UqsnLc0gCbBjvV AaOfRhh14DlGRrgHIOR6XYs= =FgOe -END PGP SIGNATURE- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
