pkgsrc-changes: CVS commit: pkgsrc/mail/getmail

Subject: CVS commit: pkgsrc/mail/getmail
To: None <pkgsrc-changes@NetBSD.org>
From: Amitai Schlair <schmonz@netbsd.org>
List: pkgsrc-changes
Date: 10/20/2004 21:55:12
Module Name:	pkgsrc
Committed By:	schmonz
Date:		Wed Oct 20 21:55:12 UTC 2004

Modified Files:
	pkgsrc/mail/getmail: Makefile distinfo

Log Message:
Update to 4.2.2. From the changelog:

Version 4.1.5
13 September 2004

  -getmail would not delete messages from the server if it was configured not
  to retrieve them and the delete_after directive was not in use (i.e. user
  normally left messages on server but occasionally wanted to force-delete
  them).  Fixed.  Thanks:  Frankye Fattarelli.

Version 4.2.0
18 September 2004

  -SECURITY: previous versions of getmail contain a security vulnerability.
  A local attacker with a shell account could exploit a race condition (or a
  similar symlink attack) to cause getmail to create or overwrite files in a
  directory of the local user's choosing if the system administrator ran getmail
  as root and delivered messages to a maildir or mbox file under the control of
  the attacker, resulting in a local root exploit.  Fixed in versions 4.2.0
  and 3.2.5.
  This vulnerability is not exploitable if the administrator does not deliver
  mail to the maildirs/mbox files of untrusted local users, or if getmail is
  configured to use an external unprivileged MDA.  This vulnerability is
  not remotely exploitable.
  Thanks: David Watson.  My gratitude to David for his work on finding and
  analyzing this problem.
  -Now, on Unix-like systems when run as root, getmail forks a child
  process and drops privileges before delivering to maildirs or mbox files.
  getmail will absolutely refuse to deliver to such destinations as root;
  the uid to switch to must be configured in the getmailrc file.
  -revert behaviour regarding delivery to non-existent mbox files.  Versions
  4.0.0 through 4.1.5 would create the mbox file if it did not exist; in
  versions 4.2.0 and up, getmail reverts to the v.3 behaviour of refusing
  to do so.

Version 4.2.1
8 October 2004

  -set message attributes on corrupt container objects to prevent problems
  with destinations that expect multidrop-retrieved messages.
  Thanks: Harry Wearne.
  -move tests for existence of file from mbox destination initialization
  to delivery method, and change error from configuration to delivery error.
  Thanks: David Watson.

Version 4.2.2
11 October 2004

  -in child delivery processes, change real as well as effective uid/gid.
  Thanks: David Watson.
  -handle corrupted oldmail file better.  Thanks: Matthias Andree.


To generate a diff of this commit:
cvs rdiff -r1.32 -r1.33 pkgsrc/mail/getmail/Makefile
cvs rdiff -r1.25 -r1.26 pkgsrc/mail/getmail/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.