Changelog
getmail4 (4.46.0-1~deb7u1) wheezy-security; urgency=high
* Address security issues (MITM: CVE-2014-7273, CVE-2014-7274,
and CVE-2014-7275) with the newer upstream release. The
upstream stated: The changes in getmail to allow it to
perform server SSL certificate validation and various other
advanced SSL options: would you call those a new feature?
Because it clearly is. But on the other hand, some people
consider the previous behaviour a bug, so perhaps its a
bugfix. But others say it closes a security hole, so it's a
security fix. I see no way to make a clear-cut distinction
between any of those three possibilities. I don't think you
need to drop *anything*. getmail hasn't had much in the way
of new features in many years, and I try to maintain
compatibility as much as is practical. Just update to the
latest version. ... specifically in regards to getmail in
its "mature" state, where pretty much the only changes going
in are bugfixes and minor feature enhancements, which are
difficult to distinguish between. ... I hope Debian can
simply accept the newer version of getmail; as I said, I try
very hard to keep it compatible when things like the
additional SSL certificate options were added, and getmail
v.4 by itself is more than ten years old at this point, long
into its quiescent "adult" period as far as software goes ;)
Closes: #766670
-- Osamu Aoki <email address hidden> Tue, 25 Nov 2014 22:21:12 +0900
