Re: Balsa and libesmtp



Am 17.03.16 21:59 schrieb(en) Albrecht Dreß:
Debian has libesmtp 1.0.6 in jessie, stretch and sid, and Ubuntu will have it in 16.04LTS aka xenial.  The 
Debian page [1] also links to the (now apparently dead) web site, and has a Debian QA contact, so there 
/might/ be a chance that security issues get fixed, even if the original author is not actively supporting it 
any more.

I wrote to the Debian QA contact (Jeremy T. Bouse), asking him whether he knows more about the status of 
libesmtp, and got this reply:

<quote>
I'll say the same thing iI told Othmar Truniger when he asked me about it... I am merely the Debian Developer 
who packaged libesmtp because I was using it at one time. I have no means to reach the upstream, Brian 
Stafford, other than what you or anyone else has. I don't develop or make changes to libesmtp, I merely 
package it up for the Debian distribution. If Brian Stafford is MIA then the libesmtp project is for all 
intents and purposes dead/orphaned with no official maintainer.
</quote>

The Debian patches actually include fixes for memory leaks in libesmtp.  Peter, do you know which serurity 
issue Pawel found?

I found a flaw, limiting encryption to TLSv1 (i.e. excluding TLSv1.1 and TLSv1.2), but apparently Jeremy will 
not fix that.

So it might actually be necessary to replace libesmtp in the long run, or to include it required parts in 
Balsa.

Cheers,
Albrecht.

Attachment: pgptfQu3j8sOv.pgp
Description: PGP signature



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]