qpopper (4.0.4-2.woody.5) stable-security; urgency=high * Non-maintainer upload by the Security Team * Backported upstream patch to fix unauthorised file read access [popper/pop_config.c, CAN-2005-1151] * Backported upstream patch to fix unauthorised file write access [popper/popauth.c, CAN-2005-1151] * Applied upstream patch to ensure that no group- or world-readable files are created [popper/popauth.c, CAN-2005-1152] -- Martin Schulze Wed, 20 Apr 2005 20:27:57 +0200 qpopper (4.0.4-2.woody.4) stable-security; urgency=medium * Non-maintainer upload by the Security Team * No-changes rebuilt so that the package can migrate into proposed updates, since binary files from the former upload got lost on ftpmaster * Fixes mail user privilege escalation (DSA 259, CVE-2003-0143) -- Martin Schulze Sat, 20 Nov 2004 10:03:49 +0100 qpopper (4.0.4-2.woody.3) stable; urgency=high * [SECURITY] different fix for the overflow below. Make Qvsnprintf always terminate output string with a null byte. -- Michael Stone Wed, 12 Mar 2003 09:30:19 -0500 qpopper (4.0.4-2.woody.2) stable; urgency=high * [SECURITY] buffer overflow in pop_msg.c -- Michael Stone Tue, 11 Mar 2003 20:59:01 -0500 qpopper (4.0.4-2.woody.1) stable; urgency=low * qpopper couldn't work with Eudora clients and openssl 0.9.6c-2.woody.1 that was provided in DSA-136. This verison fixed that bug. -- Yu Guanghui Wed, 25 Sep 2002 21:31:55 +0800 qpopper (4.0.4-2) unstable; urgency=high * Fixed the long user bulldir buffer overflow. (closes:bug#144974) * ok, Moshe Zadka 's patch is better than the one I did, so apply this. ;-) Thanks. -- Yu Guanghui Mon, 29 Apr 2002 10:13:41 +0800 qpopper (4.0.4-1) unstable; urgency=low * New upstream release -- Yu Guanghui Wed, 24 Apr 2002 09:37:17 +0800 qpopper (4.0.3-11) unstable; urgency=high * Fixed hppa building error. (closes:bug#142281) * Forget close 126670 at early version. (closes:bug#126670) -- Yu Guanghui Thu, 11 Apr 2002 18:10:35 +0800 qpopper (4.0.3-10) unstable; urgency=high * Back ported the bug fix (closed at 4.0.3-8) from 4.0.4fc3. The old patch maybe cause some problem at special cases. -- Yu Guanghui Wed, 10 Apr 2002 23:30:41 +0800 qpopper (4.0.3-9) unstable; urgency=low * Closed many old bugs, most of them has been fixed before. * lockfile has been put to /var/spool/pop (closes:bug#49122) * couldn't reproduce, and that more like fetchmail's bug. (closes:bug#57256). ok, this has been fixed in potato and new version hasn't this bug. (closes:bug#85069) * It has been fixed, but didn't close the bug. (closes:bug#65330) * Qpopper has a trace option now. (closes:bug#22008) * You can disable dns reverse lookup now. (closes:bug#22834) * APOP and PASS can work at sametime now. (closes:bug#60016) * It's not qpopper's failure. (closes:bug#65901) -- Yu Guanghui Mon, 1 Apr 2002 21:19:34 +0800 qpopper (4.0.3-8) unstable; urgency=high * popper.c line 486 should return NULL instead of break, or it will wrongly enter loop state. I have made another patch. Thanks for Christian Hammers' useful information.(closes:Bug#138535) * This is a security fix. It only affects version 4.0.x. -- Yu Guanghui Wed, 16 May 2002 19:15:07 +0800 qpopper (4.0.3-7) unstable; urgency=low * Builded new package qpopper-drac. (closes:Bug#120338) -- Yu Guanghui Wed, 6 Feb 2002 21:50:15 +0800 qpopper (4.0.3-6) unstable; urgency=low * popauth should be suid. -- Yu Guanghui Mon, 10 Dec 2001 19:10:02 +0800 qpopper (4.0.3-5) unstable; urgency=low * Sorry, really change --with-apopuid to -enable-popuid this time. -- Yu Guanghui Tue, 27 Nov 2001 09:17:39 +0800 qpopper (4.0.3-4) unstable; urgency=low * change --enable-apoppuid to --enable-popuid. Type error.:( Thanks to Vadim A Kutchin [amadis@chemi.komisc.ru]. * Using configure file now. (closes:Bug#116308) -- Yu Guanghui Tue, 20 Nov 2001 13:29:28 +0800 qpopper (4.0.3-3) unstable; urgency=low * Before call kill, check whether /var/run/inetd.pid exist. (closes:Bug#103871) -- Yu Guanghui Sun, 8 Jul 2001 18:32:16 +0800 qpopper (4.0.3-2) unstable; urgency=high * Upload again with a high urgency. * This version fixes a buffer overflow present in all version of 4.0. It should be installed to unstable and testing as fast.(closes: Bug#101133) -- Yu Guanghui Sun, 17 Jun 2001 09:28:06 +0800 qpopper (4.0.3-1) unstable; urgency=low * New upstream release -- Yu Guanghui Tue, 5 Jun 2001 20:58:01 +0800 qpopper (4.0.2-1) unstable; urgency=low * New upstream release -- Yu Guanghui Fri, 25 May 2001 22:45:09 +0800 qpopper (4.0-2) unstable; urgency=low * Fixed the wrong installed manpage poppassd.8 (closes: Bug#94723) * Removed exim from build-depends. (closes: Bug#95099) -- Yu Guanghui Wed, 25 Apr 2001 00:14:24 +0800 qpopper (4.0-1) unstable; urgency=low * New upstream release -- Yu Guanghui Tue, 17 Apr 2001 22:22:25 +0800 qpopper (3.1-4) unstable; urgency=low *Add Build-depends and Depends: exim|mail-transport-agent. (closes: Bug#85032) *Priority moved from optional to extra. -- Yu Guanghui Sat, 10 Feb 2001 12:26:12 +0800 qpopper (3.1-3) unstable; urgency=low * Add Build-depends: libgdbmg1-dev, libpam0g-dev to debian/contrl. (closes: Bug#84893) * Couldn't reproduce Bug#82198, and didn't recieve any reply from reporter. (closes: Bug#82198) -- Yu Guanghui Tue, 6 Feb 2001 22:04:15 +0800 qpopper (3.1-2) frozen unstable; urgency=high * Compiled with --enable-log-login. (closes: Bug#75784) -- Yu Guanghui Sun, 29 Oct 2000 09:09:14 +0800 qpopper (3.1-1) frozen unstable; urgency=high * New upstream release.(closes: Bug#75032, Bug#71085) * Compiled with PAM support. (closes: Bug#57305) -- Yu Guanghui Fri, 27 Oct 2000 22:18:56 +0800 qpopper (2.53-5) frozen unstable; urgency=high * Fix YET ANOTHER security hole that makes it possible to get a shell, even with "group mail" priviliges. (closes: #64602, #64649, #64627). See http://www.securityfocus.com/vdb/bottom.html?vid=1242 See also http://www.digibel.org/~b0f/advisors/b0f5-Qpopper.txt -- Miquel van Smoorenburg Thu, 25 May 2000 14:53:36 +0200 qpopper (2.53-4) frozen unstable; urgency=high * Fix security hole (fixes: #63730). Did not use the patch as supplied on bugtraq, but fixed it myself. See debian/fgets1023.patch * Added applied patches as seperate files in the source package and also documented them in README.Debian. * Fixed the pop-server virtual package stuff (fixes: #42409, #50629, #52273) * Moved /usr/{man,doc} stuff to /usr/share/{man,doc} The last 3 are only cosmetic and not code changes. -- Miquel van Smoorenburg Sun, 14 May 2000 13:11:43 +0200 qpopper (2.53-3) unstable; urgency=low * Use fcntl (posix) locking everywhere instead of flock() * Don't lock APOP database twice * Fixes: #29698: qpopper: flock() locks both .pag and .dir file which are the same -- Miquel van Smoorenburg Thu, 29 Jul 1999 12:24:14 +0200 qpopper (2.53-2) unstable; urgency=high * Turn on --enable-specialauth otherwise shadow support is not compiled in * Fixes: #40165: qpopper ignores -d #40167: qpopper refuses correct p #39789: qpopper: fails to validate passwords #35374: qpopper: changelog and copyright #27196: qpopper logs to /var/log/messages #23872: qpopper appears to abort -- Miquel van Smoorenburg Sun, 27 Jun 1999 20:42:08 +0200 qpopper (2.53-1) unstable; urgency=low * Upgraded to latest released version - the license seems OK now. -- Miquel van Smoorenburg Thu, 10 Jun 1999 16:12:43 +0200 qpopper (2.3-5) unstable; urgency=low * Added option -S to turn on "server mode" at runtime. -- Miquel van Smoorenburg Thu, 19 Nov 1998 13:13:04 +0100 qpopper (2.3-4) frozen unstable; urgency=high * Fix for remote root exploits -- Miquel van Smoorenburg Sat, 27 Jun 1998 23:38:52 +0200 qpopper (2.3-3) frozen unstable; urgency=low * Fixes bugs: #22531: qpopper: POP3 server fails to sanity-check TOP requests -- Miquel van Smoorenburg Tue, 19 May 1998 16:41:21 +0200 qpopper (2.3-2) frozen unstable; urgency=low * Move back to DBM instead of DB * Fixes: #19847: qpopper unable to open POP authorization DB -- Miquel van Smoorenburg Tue, 17 Mar 1998 23:07:43 +0100 qpopper (2.3-1) unstable; urgency=low * Upgraded to latest free upstream version * Fix lintian stuff * Fixes: #15305: qpopper: qpopper 2.4 is out -- Miquel van Smoorenburg Sat, 14 Mar 1998 14:35:11 +0100 qpopper (2.2-5) unstable; urgency=low * libc6 version (2.4 is being worked on, but in the mean time..) * Bugs fixed: #10061: qpopper: program name error in man page: says in.popper instead of in.qpopper #12497: qpopper: doesnt work with md5 passwords #13527: qpopper: libc6 patch -- Miquel van Smoorenburg Wed, 22 Oct 1997 16:00:51 +0200 qpopper (2.2-4) frozen unstable; urgency=high * Added /var/spool/pop directory to the package since netstd dropped it * Compiled with support for /etc/popper.{allow,deny} file. -- Miquel van Smoorenburg Mon, 28 Apr 1997 20:16:57 +0200 qpopper (2.2-3) unstable; urgency=low * Fixed postinst not to send SIGHUP to inetd (fix for xinetd) * Fix for (possible) problem wrt NFS locking and Linux NFS client code. -- Miquel van Smoorenburg Mon, 20 Jan 1997 10:12:44 +0100 qpopper (2.2-2) unstable; urgency=low * Fixed locking to work over NFS. * New source format -- Miquel van Smoorenburg Fri, 13 Dec 1996 15:43:13 +0100 qpopper_2.2-1 o Fixed Description: line in control file. o Upgraded to popper2.2 qpopper-2.1.4-4 o Fixed Description: line in control file. o Fixed rewind() problem in pop_updt.c (caused mailboxes to start with a lot of zeros if new mail came in when using the qpopper) o debian.rules uses new style package names (with "_") qpopper-2.1.4-3 o Fixed locking problem qpopper-2.1.4-2 o Added shadow password support o Bulletin support is not defaulted anymore (needs -b flag) qpopper-2.1.4-1 o initial release Local variables: mode: debian-changelog End: