diff options
-rw-r--r-- | NEWS | 50 | ||||
-rw-r--r-- | THANKS | 1 | ||||
-rw-r--r-- | configure.ac | 2 |
3 files changed, 50 insertions, 3 deletions
@@ -1,10 +1,56 @@ -GNU mailutils NEWS -- history of user-visible changes. 2019-09-11 +GNU mailutils NEWS -- history of user-visible changes. 2019-11-06 Copyright (C) 2002-2019 Free Software Foundation, Inc. See the end of file for copying conditions. Please send mailutils bug reports to <bug-mailutils@gnu.org>. -Version 3.7.90 (git) +Version 3.8 - 2019-11-06 + +* The maidag utility is withdrawn + +The main purpose of this utility was to work as local mail delivery +agent (MDA), a program responsible for final delivery of email messages +to the recipient's mailbox. As such it required suid privileges. + +In parallel with its main purpose, it also was able to work in two +other modes: the 'url' mode, designed to deliver mails to arbitrary +mailbox URLs, and 'lmtp' mode, in which it acted as local mail +transport daemon. Neither of these needed suid privileges. + +The unfortunate design decision to combine the three modes in a single +versatile tool resulted in local privilege escalation threat in 'url' +mode. + +To fix this, maidag has been replaced by three different utilities, +each one with a precisely defined purpose and carefully designed +privileges: mda, lmtpd, and putmail. + +* mda + +GNU Mail Delivery Agent, the program used by mail transport agent for +local mail delivery. MTA starts it with non-root privileges, so it +needs the setuid bit in order to be able to assume the recipient's +identity when delivering mail. User input is limited to the actual +message, which is read from the standard input. The usual flexible +mailutils configuration subsystem is disabled in this utility, all +settings being read from the main configuration file only. This file +is writable only for root. Configuration settings cannot be altered +from the command line. + +The command line usage is mostly compatible with the maidag, which +facilitates transition to mda. + +* lmtpd + +GNU Local Mail Transfer Protocol daemon. Normally it is started by +root and remains in the background serving LMTP connections from the +MTA. + +* putmail + +A user tool for delivering messages to the specified mailbox URL. +Runs with user privileges. This provides the functionality of 'maidag +--url', without any security implications. * Use of TLS in pop3d run from inetd @@ -23,6 +23,7 @@ Kostas Zorbadelos <kzorba@otenet.gr> Kurt Hackenberg <kh@panix.com> Matthew Whitworth <matthew@okcomputer.org> maks <maksqwe1@ukr.net> +Mike Gualtieri <mike.gualtieri@gmail.com> Neil R. Ormos <ormos@ormos.org> Olivier Bornet <Olivier.Bornet@smartdata.ch> Pierre-Jean <lists@utroff.org> diff --git a/configure.ac b/configure.ac index 5c7717289..61a490148 100644 --- a/configure.ac +++ b/configure.ac @@ -16,7 +16,7 @@ dnl You should have received a copy of the GNU General Public License along dnl with GNU Mailutils. If not, see <http://www.gnu.org/licenses/>. AC_PREREQ(2.63) -AC_INIT([GNU Mailutils], [3.7.90], [bug-mailutils@gnu.org], [mailutils], +AC_INIT([GNU Mailutils], [3.8], [bug-mailutils@gnu.org], [mailutils], [http://mailutils.org]) AC_CONFIG_SRCDIR([libmailutils/mailbox/mailbox.c]) AC_CONFIG_AUX_DIR([build-aux]) |