developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
"A vulnerability in UW-imapd can be exploited by malicious users to
cause a DoS (Denial of Service) or compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the
"mail_valid_net_parse_work()" function when copying the user supplied
mailbox name to a stack buffer. This can be exploited to cause a
stack-based buffer overflow via a specially crafted mailbox name that
contains an single opening double-quote character, without the
corresponding closing double-quote.
Successful exploitation allows arbitrary code execution, but requires
valid credentials on the IMAP server."
http://secunia.com/advisories/17062/
www.idefense.com/application/poi/display?id=313&type=vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933
Patch from 2004g.
Changes (note that relnotes say -2004d, but it is indeed -2004e):
=====
imap-2004d is a maintenance release, released concurrently with Pine
4.63, and consists primarily of bugfixes
There is now a workaround for RedHat breaking flock(). However, since
RedHat has said that they don't support flock(), there is no guarantee
that they won't break it in the future. So you may want to consider some
other Linux distribution or BSD instead. See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123415
for the gruesome details.
There are no user-visible functional enhancements in this version.
=====
OTHER CHANGE: Multiple newsrc and MSA support needed by Pine 4.63.
imap-2004c:
fixes to quoted-printable encoding and CRAM-MD5 authentication.
NNTP proxy in imapd now supports the LIST and LSUB commands.
imap-2004b:
There are new ports for Solaris with Blastwave Community Open
Source Software (gcs) and Mandrake Linux (lmd).
SET_SNARFINTERVAL now controls how frequently local drivers
will move new mail from the mail spool as well as from a
maildrop. Maildrops are still tied to a minimum interval of
1 minute, but there is now no minimum for the spool file.
Character set conversions now map non-breaking space to space
if the destination character set doesn't have nbsp. JIS Roman
yen sign is now mapped to Unicode yen sign.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
* maintenance release, consisting primarily of critical bugfixes
* now has a supported NNTP proxy capability
* OSF/1 port (Digital UNIX, Tru64) now uses flocksim instead of flcksafe
* The unix[nt] and mmdf drivers now prevent mail_append() from writing Status:,
X-Status:, X-UID, X-IMAP[base]:, and X-Keywords: header lines to a
traditional UNIX or MMDF format mailbox
* mailutil has three new commands: delete, rename, and prune
* IPv6 support now exists for UNIX and W2K
* The NNTP driver now supports NNTP SASL and TLS
* imapd now supports the LITERAL+ and SASL-IR initial-response extensions
* The IMAP driver has some additional checks to reduce the amount of network
traffic, including executing "silly searches" (searches of sequence numbers
only) locally
* The IMAP, POP, SMTP, and NNTP drivers now have diagnostic code to provide
better information about servers which violate SASL's empty challenge
requirements (e.g. with the PLAIN mechanism).
* There is a new mail_fetch_overview_sequence() function which is like
mail_fetch_overview() but takes a sequence number string as an argument.
There should have been a flags argument and FT_UID bit as in all the other
mail_fetch_???() functions but compatibility with the past... :-(
* The overview_t callback (from mail_fetch_overview()) now has a fourth
argument which contains the message sequence number (as opposed to the UID
which is in the second argument). It turned out that some applications were
calling mail_msgno() (which can be moderately expensive) to get the sequence
number, and c-client already knew it.
* Many declarations which are completely internal to a driver have been removed
from the driver .h file, and in those cases where there are no external
declarations left the .h file has been eliminated entirely. As part of this,
the mbox driver routines are now incorporated with the unix driver routines
as opposed to being a separate file. The mbox driver still needs to be lunk
in order to get the mbox functionality.
