Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1

To: Salvatore Bonaccorso <carnil@debian.org>, 1120380@bugs.debian.org
Subject: Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
From: László Böszörményi (GCS) <gcs@debian.org>
Date: Sat, 8 Nov 2025 17:40:10 +0100
Message-id: <[🔎] CAKjSHr3U-0qf0dkNwTBKoh5Ht0GO7aPAiNV-ubET_+DwB7Ltsw@mail.gmail.com>
Reply-to: László Böszörményi (GCS) <gcs@debian.org>, 1120380@bugs.debian.org
In-reply-to: <[🔎] 176261087108.2772949.10522147080590734527.reportbug@eldamar.lan>
References: <[🔎] 176261087108.2772949.10522147080590734527.reportbug@eldamar.lan> <[🔎] 176261087108.2772949.10522147080590734527.reportbug@eldamar.lan>

Hi Salvatore,

On Sat, Nov 8, 2025 at 3:09 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
> The time is bit tight now given window is closing this weekend for
> uploads for the next trixie point release. I was looking which minor
> CVE fixes are open, and noticed that we have CVE-2025-61962 which
> might be low enough to still get in, but I would like to have an ack
> from Lazslo, otherwise later point release is I guess fine.
 s/Lazslo/Laszlo/. While you are right, this should be fixed, please
note that the mentioned fix is not final. The 6.5.7 release contains a
bugfix [1] for this and noted as: "However, to improve compatibility,
fetchmail now accepts anything that starts with "334" and disregards
the remainder of the line.". See the full commit [2] for this.

> [ Tests ]
> None in particular for this issue itself (as I have no setup available
> makeing use of it). Lazslo?
 s/Lazslo/Laszlo/; As you can read from the commit (in file NEWS
file), 'AUTH LOGIN' was a draft only, never made it to the IETF RFC.
As such, even if it is implemented in a mail server, 'AUTH PLAIN'
should precede such authentication. In short, I think such a
misbehaving IMAP server might not exist. This issue might be found by
a static code analyzer of fetchmail and not by actual usage.

> I have uploaded the proposed package to debusine for further testing:
> https://debusine.debian.net/debian/developers/work-request/229521/
 To be honest, I think a full package update should be done for Trixie
at least (probably a release after 6.6.0 as that has a minor glitch).
Reason is, even 6.5.x releases will lose support by the end of this
year (2025).
As I understand it, there was no support removed between 6.4.39
(Trixie) and the current (and long time supported release of) 6.6.0
version. We should get a solid base with the latter instead of
backporting specific commits. But let's hear what upstream developer
Matthias says on this.

Regards,
Laszlo/GCS
[1] https://gitlab.com/fetchmail/fetchmail/-/blob/6.5.7/NEWS
[2] https://gitlab.com/fetchmail/fetchmail/-/commit/3c9e49d70e5d958f10b94fc58b3c5046f87cff7a

Reply to:

Follow-Ups:
- Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Next by Date: Processed: trixie-pu: package edk2/2025.02-8+deb13u1
Previous by thread: Processed: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Next by thread: Bug#1120380: trixie-pu: package fetchmail/6.4.39-1+deb13u1
Index(es):
- Date
- Thread