[Git][security-tracker-team/security-tracker][master] Revert "Removed sendmail from dla-needed since there is no CVE marked as need...

Sylvain Beucler (@beuc) beuc at debian.org
Mon Mar 11 11:10:20 GMT 2024 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9a2a182d by Sylvain Beucler at 2024-03-11T12:07:53+01:00
Revert "Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster."

This reverts commit f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb.

Rationale:
- SMTP Smuggling (CVE-2023-51765) had significant impact
- SMTP Smuggling was fixed in e.g. Postfix and Exim
- Sendmail is sponsored for LTS
- Preliminary LTS work was done
- CVE-2023-51765 is still not triaged for sendmail/buster

Consequently it's hard to explain why we would not attempt to fix it.

In this case, I believe LTS should make an effort to fix sendmail for all dists,
rather than follow secteam's initial triage.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -220,6 +220,15 @@ ruby-rack (Adrian Bunk)
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
+sendmail
+  NOTE: 20231224: Added by Front-Desk (ta)
+  NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765)
+  NOTE: 20240217: Patch extracted and being reviewed (rouca)
+  NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk)
+  NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists,
+  NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists,
+  NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk)
+--
 shim
   NOTE: 20240306: Added by Front-Desk (opal)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2a182dc53f0632ecd32108c91c071bdad76289

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2a182dc53f0632ecd32108c91c071bdad76289
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240311/83479ef4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list