From patchwork Sat Sep 18 18:01:36 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 1529691
Return-Path: <buildroot-bounces@lists.buildroot.org>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.buildroot.org
 (client-ip=140.211.166.136; helo=smtp3.osuosl.org;
 envelope-from=buildroot-bounces@lists.buildroot.org; receiver=<UNKNOWN>)
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4HBdts3ZXCz9sW5
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Sun, 19 Sep 2021 04:01:55 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id 29C0660631;
	Sat, 18 Sep 2021 18:01:53 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 6ulmrr0mQCXL; Sat, 18 Sep 2021 18:01:52 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by smtp3.osuosl.org (Postfix) with ESMTP id 8D44060600;
	Sat, 18 Sep 2021 18:01:51 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by ash.osuosl.org (Postfix) with ESMTP id E0C371BF2F8
 for <buildroot@lists.busybox.net>; Sat, 18 Sep 2021 18:01:49 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id D8DE560600
 for <buildroot@lists.busybox.net>; Sat, 18 Sep 2021 18:01:49 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id SuDsmwzcBGHL for <buildroot@lists.busybox.net>;
 Sat, 18 Sep 2021 18:01:48 +0000 (UTC)
X-Greylist: delayed 01:50:09 by SQLgrey-1.8.0
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 7E2F2605F2
 for <buildroot@buildroot.org>; Sat, 18 Sep 2021 18:01:48 +0000 (UTC)
Received: (Authenticated sender: peter@casa-korsgaard.com)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 34C0260005;
 Sat, 18 Sep 2021 18:01:44 +0000 (UTC)
Received: from peko by dell.be.48ers.dk with local (Exim 4.92)
 (envelope-from <peko@dell.be.48ers.dk>)
 id 1mReel-0000TI-Pk; Sat, 18 Sep 2021 20:01:43 +0200
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Sat, 18 Sep 2021 20:01:36 +0200
Message-Id: <20210918180137.1766-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [Buildroot] [PATCH] package/fetchmail: security bump to version
 6.4.22
X-BeenThere: buildroot@lists.buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot
 <buildroot.lists.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@lists.buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@lists.buildroot.org>
List-Help: <mailto:buildroot-request@lists.buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@lists.buildroot.org?subject=subscribe>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Errors-To: buildroot-bounces@lists.buildroot.org
Sender: "buildroot" <buildroot-bounces@lists.buildroot.org>

Fixes the following security issues:

- CVE-2021-39272: Fetchmail before 6.4.22 fails to enforce STARTTLS session
  encryption in some circumstances, such as a certain situation with IMAP
  and PREAUTH.
  https://www.fetchmail.info/fetchmail-SA-2021-02.txt

Update COPYING hash for a clarification of the license situation with
openssl 3.x (which is Apache 2.0 licensed):

https://gitlab.com/fetchmail/fetchmail/-/commit/8eed56c21ca5bbdf3c00aaf74d807bcad8713ba9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/fetchmail/fetchmail.hash | 8 +++-----
 package/fetchmail/fetchmail.mk   | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/package/fetchmail/fetchmail.hash b/package/fetchmail/fetchmail.hash
index 30df3eb834..88deb343c4 100644
--- a/package/fetchmail/fetchmail.hash
+++ b/package/fetchmail/fetchmail.hash
@@ -1,6 +1,4 @@
-# From https://sourceforge.net/p/fetchmail/mailman/message/37327392/
-sha256  6a459c1cafd7a1daa5cd137140da60c18c84b5699cd8e7249a79c33342c99d1d  fetchmail-6.4.21.tar.xz
-# From https://sourceforge.net/projects/fetchmail/files/branch_6.4/
-sha1  a264c50256c2b42d2c7893f9efae7c9a29350786  fetchmail-6.4.21.tar.xz
+# From https://sourceforge.net/p/fetchmail/mailman/message/37350119/
+sha256  cc6818bd59435602169fa292d6d163d56b21c7f53112829470a3aceabe612c84  fetchmail-6.4.22.tar.xz
 # Locally computed:
-sha256  6346b5aa04e258fa4326272ea92372d796b4382aa963535ae98a3bb5f8cd5aeb  COPYING
+sha256  001d1b8d111a83e3bab8b4d511ea4767d37d3bd0583560fccece630df1ba8f3c  COPYING
diff --git a/package/fetchmail/fetchmail.mk b/package/fetchmail/fetchmail.mk
index 0b4cf39cbd..77d9733296 100644
--- a/package/fetchmail/fetchmail.mk
+++ b/package/fetchmail/fetchmail.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 FETCHMAIL_VERSION_MAJOR = 6.4
-FETCHMAIL_VERSION = $(FETCHMAIL_VERSION_MAJOR).21
+FETCHMAIL_VERSION = $(FETCHMAIL_VERSION_MAJOR).22
 FETCHMAIL_SOURCE = fetchmail-$(FETCHMAIL_VERSION).tar.xz
 FETCHMAIL_SITE = http://downloads.sourceforge.net/project/fetchmail/branch_$(FETCHMAIL_VERSION_MAJOR)
 FETCHMAIL_LICENSE = GPL-2.0; some exceptions are mentioned in COPYING