Am 17.03.16 21:59 schrieb(en) Albrecht Dreß:
Debian has libesmtp 1.0.6 in jessie, stretch and sid, and Ubuntu will have it in 16.04LTS aka xenial. The Debian page [1] also links to the (now apparently dead) web site, and has a Debian QA contact, so there /might/ be a chance that security issues get fixed, even if the original author is not actively supporting it any more.
I wrote to the Debian QA contact (Jeremy T. Bouse), asking him whether he knows more about the status of libesmtp, and got this reply: <quote> I'll say the same thing iI told Othmar Truniger when he asked me about it... I am merely the Debian Developer who packaged libesmtp because I was using it at one time. I have no means to reach the upstream, Brian Stafford, other than what you or anyone else has. I don't develop or make changes to libesmtp, I merely package it up for the Debian distribution. If Brian Stafford is MIA then the libesmtp project is for all intents and purposes dead/orphaned with no official maintainer. </quote> The Debian patches actually include fixes for memory leaks in libesmtp. Peter, do you know which serurity issue Pawel found? I found a flaw, limiting encryption to TLSv1 (i.e. excluding TLSv1.1 and TLSv1.2), but apparently Jeremy will not fix that. So it might actually be necessary to replace libesmtp in the long run, or to include it required parts in Balsa. Cheers, Albrecht.
pgpZc9ZhJoDI2.pgp
Description: PGP signature
_______________________________________________ balsa-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/balsa-list
