Bug#699591: exim4 upload to stable (dovecot stability / and optionally spf quoting)
Andreas Metzler
ametzler at downhill.at.eu.org
Sun Feb 24 13:58:20 UTC 2013
On 2013-02-17 "Adam D. Barratt" <adam at adam-barratt.org.uk> wrote:
> Apologies for the delay in getting back to you about this.
no worries.
> On Sat, 2013-02-02 at 09:34 +0100, Andreas Metzler wrote:
> > | Dovecot: robustness; better msg on missing mech.
> [...]
>> This fixes an exim segfault when accessing a malicious dovecot AUTH
>> server. I have already talked with the security team, Moritz agrees
>> that this should be fixed in a point release. Testing already has the
>> fix since 4.80-6.
> The patch includes "TESTED: works against Dovecot 2.1.10", but stable
> has 1.2.15. Do we know if the patch has been tested against stable?
Hello,
I have just setup a test system in my squeeze chroot, using dovecot
with passdb passwd-file as authentication source. It worked for me. I
have tried AUTH PLAIN, CRAM-MD5 and DIGEST-MD5.
However I do not know whether any systematic testing was done.
>> On top of this I would like to discuss whether it is acceptable to fix
>> http://bugs.debian.org/697057 in stable, too. [ I definitily want o
>> get the fix into testing - #697444.] The Debian configuration
>> optionally allows to use spfquery to run SPF-checks on incoming mail.
>> Due to insufficient quoting it is possible to pass on arbitrary
>> arguments to spfquery and therefore bypass SPF checks. The fix is not
>> invasive, but it changes dpkg conffiles.
> I've been arguing with myself a little over this one. Is it worth a
> comment preceding the new version of the changes to make it more obvious
> to anyone looking at the diff during an upgrade why the quoting was
> added?
> Presumably anyone performing a non-interactive upgrade won't get the
> changes, but that doesn't seem so bad in this case.
This just does not feel right to me. It is exactly the kind of
information belongs into the changelog, and that is where it is.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list