3 files changed, 50 insertions, 3 deletions
@@ -1,10 +1,56 @@
-GNU mailutils NEWS -- history of user-visible changes. 2019-09-11
+GNU mailutils NEWS -- history of user-visible changes. 2019-11-06
Copyright (C) 2002-2019 Free Software Foundation, Inc.
See the end of file for copying conditions.
Please send mailutils bug reports to <email@example.com>.
-Version 3.7.90 (git)
+Version 3.8 - 2019-11-06
+* The maidag utility is withdrawn
+The main purpose of this utility was to work as local mail delivery
+agent (MDA), a program responsible for final delivery of email messages
+to the recipient's mailbox. As such it required suid privileges.
+In parallel with its main purpose, it also was able to work in two
+other modes: the 'url' mode, designed to deliver mails to arbitrary
+mailbox URLs, and 'lmtp' mode, in which it acted as local mail
+transport daemon. Neither of these needed suid privileges.
+The unfortunate design decision to combine the three modes in a single
+versatile tool resulted in local privilege escalation threat in 'url'
+To fix this, maidag has been replaced by three different utilities,
+each one with a precisely defined purpose and carefully designed
+privileges: mda, lmtpd, and putmail.
+GNU Mail Delivery Agent, the program used by mail transport agent for
+local mail delivery. MTA starts it with non-root privileges, so it
+needs the setuid bit in order to be able to assume the recipient's
+identity when delivering mail. User input is limited to the actual
+message, which is read from the standard input. The usual flexible
+mailutils configuration subsystem is disabled in this utility, all
+settings being read from the main configuration file only. This file
+is writable only for root. Configuration settings cannot be altered
+from the command line.
+The command line usage is mostly compatible with the maidag, which
+facilitates transition to mda.
+GNU Local Mail Transfer Protocol daemon. Normally it is started by
+root and remains in the background serving LMTP connections from the
+A user tool for delivering messages to the specified mailbox URL.
+Runs with user privileges. This provides the functionality of 'maidag
+--url', without any security implications.
* Use of TLS in pop3d run from inetd
@@ -23,6 +23,7 @@ Kostas Zorbadelos <firstname.lastname@example.org>
Kurt Hackenberg <email@example.com>
Matthew Whitworth <firstname.lastname@example.org>
+Mike Gualtieri <email@example.com>
Neil R. Ormos <firstname.lastname@example.org>
Olivier Bornet <Olivier.Bornet@smartdata.ch>
diff --git a/configure.ac b/configure.ac
index 5c7717289..61a490148 100644
@@ -16,7 +16,7 @@ dnl You should have received a copy of the GNU General Public License along
dnl with GNU Mailutils. If not, see <http://www.gnu.org/licenses/>.
-AC_INIT([GNU Mailutils], [3.7.90], [email@example.com], [mailutils],
+AC_INIT([GNU Mailutils], [3.8], [firstname.lastname@example.org], [mailutils],