Re: Upload request: chasquid 1.13-1
On Tue, Dec 26, 2023 at 07:05:21PM +0000, Alberto Bertogli wrote:
On Tue, Dec 26, 2023 at 08:52:21PM +0530, Nilesh Patra wrote:
On 12/26/2023 8:01 PM IST Alberto Bertogli <albertito@blitiri.com.ar> wrote:
This release includes a fix for a newly discovered SMTP attack (SMTP
smuggling). Full changelog at
https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24.
Please let me know if you have any questions or comments!
Would it be possible to backport the SMTP smuggling patch to current chasquid stable version?
IMHO security vulnerabilities like this warrant a p-u[1]
Sure!
Upstream-wise, I tagged v1.11.1 with a backport of the fix. There are
3 patches: 2 of them backports of small changes to testing
infrastructure, and then the 3rd patch is the backport of the fix (the
tests for the fix reply on the other 2).
https://blitiri.com.ar/git/r/chasquid/c/d4346efb024e0ebc79295bb5cae4efca81c5dc1f/
https://github.com/albertito/chasquid/tree/v1.11.1
Unfortunately I will be with minimal connectivity for the next couple
of weeks, so I won't be able to do the Debian side of this (I'm not
familiar with the backporting to stable part so it would take me more
time to figure out).
I gave this a try. This is my first time doing a stable backport (or any
non-unstable change) so please let me know if I did something wrong,
which is very likely.
I did the following:
- Created a new `debian/bookworm-backports` branch.
- Merged upstream's v1.11.1 into it, which incorporates the security
fixes.
- Updated the changelog using the usual tooling.
- Tested the build on bookworm with `gbp buildpackage` (same as I always
do, except this time on bookworm instead of unstable).
- Uploaded that branch to salsa.
- salsa's test pipeline passed.
I don't know if this is okay, and if so, what comes next; so please let
me know how to proceed from here!
Thank you!
Alberto
Reply to: