exim4 upload to stable (dovecot stability / and optionally spf quoting)

Adam D. Barratt adam at adam-barratt.org.uk
Sun Jan 6 22:41:18 UTC 2013


On Sat, 2013-01-05 at 14:20 +0100, Andreas Metzler wrote:
> | Dovecot: robustness; better msg on missing mech.
[...]
> This fixes an exim segfault when accessing a malicious dovecot AUTH
> server. I have already talked with the security team, Moritz agrees
> that this should be fixed in a point release. Testing already has the
> fix since 4.80-6.

> On top of this I would like to discuss whether it is acceptable to fix
> http://bugs.debian.org/697057 in stable, too. [ I definitily want o
> get the fix into testing - #697444.] The Debian configuration
> optionally allows to use spfquery to run SPF-checks on incoming mail.
> Due to insufficient quoting it is possible to pass on arbitrary
> arguments to spfquery and therefore bypass SPF checks. The fix is not
> invasive, but it changes dpkg conffiles.

How likely is it that users will have modified the conffile in question?
Shipping updated versions of conffiles isn't in itself an issue.

In principle the fixes sound okay but a debdiff between stable (well,
p-u, as that has +squeeze3) and the proposed package would be
appreciated.

Regards,

Adam




More information about the Pkg-exim4-maintainers mailing list