On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote:
On Sun, Jan 21, 2024 at 03:37:11PM +0000, Alberto Bertogli wrote:There are 3 patches in this release: patches 1 and 2 are minor (but important) adjustments to tests, so that patch 3 that contains the fix can be tested at all. Applying just patch 3 would be nominally "minimal", but also fail tests. I would argue this is the minimal set of patches to fix the security release. That said, of course that is subjective, other alternative patches could be done instead; and I'm sure there's a lot of Debian-specific criteria, history, and processes that can be applied to make these decisions, which I lack. So I think at this point I rather leave this stable update to the Debian experts (which I am definitely not :). The patches are there, and please if you have any questions I can help with as upstream capacity, just let me know!As far as I understood and looked, there are just 3 patches in this update which seem to be needed to fix the SMTP smuggling vulnerability, right?
That is correct.I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on top of 1.11:
- Patch #1: test: Verify mailbox delivery in minor dialogs test https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 - Patch #2: test: Make mail_diff more strict https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801Patches #1 and #2 change only tests and testing infrastructure, so that the patch #3 (which fixes the security vulnerability) can have tests to confirm it works.
Those commits in Salsa come directly from upstream's 1.11.1, you can confirm that the commit id is the same:
https://github.com/albertito/chasquid/commits/v1.11.1/This is what I consider a "reasonable minimum" set of changes to fix the vulnerability. Any less would mean failing or reduced tests for the fixes, which I don't think that is a good tradeoff.
I hope this explanation helps!
Seems I got a few things mixed up and maybe offered wrong advice in my previous email -- sorry!
No worries! These things get confusing :S
I've CC'ed security team as per the documented procedure[1], and will wait for their reply on this matter, and we can take it forward for stable uploads from there. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
Thank you, please let me know if there are any other questions or clarification needed!
Thanks again, Alberto