Hi Ben et al, On Wed, Dec 30, 2015 at 01:48:47AM +0000, Ben Hutchings wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of claws-mail: > https://security-tracker.debian.org/tracker/CVE-2015-8614 AFAICS that CVE is missing at least two more affected packages in squeeze: libsylph¹ and sylpheed², which unfortunately contains an embedded code copy (ECC) of the former. Both are still affected on current sid versions³⁴ and upstream⁵, not sure whether that fact should be reflected on the same CVE. There's also another ECC in sylfilter⁶⁷ which is affected, but not in squeeze, just stretch/sid. I've included also the maintainer and upstream of those packages in Cc. ¹ http://sources.debian.net/src/libsylph/1.1.0-4/libsylph/codeconv.c/ ² http://sources.debian.net/src/sylpheed/3.0.2-1/libsylph/codeconv.c/ ³ http://sources.debian.net/src/libsylph/1.1.0-15/libsylph/codeconv.c/ ⁴ http://sources.debian.net/src/sylpheed/3.0.2-1/libsylph/codeconv.c/ ⁵ http://sylpheed.sraoss.jp/redmine/projects/sylpheed/repository/entry/libsylph/codeconv.c ⁶ http://sources.debian.net/src/sylfilter/0.8-3/libsylph/codeconv.c/ ⁷ http://sylpheed.sraoss.jp/redmine/projects/sylfilter/repository/revisions/master/entry/libsylph/codeconv.c > Would you like to take care of this yourself? I'd like, but my time to Debian is very limited right now, and seems there's not a working patch for this. The lack of examples triggering the supposed overflow is also a problem. > If yes, please follow the workflow we have defined here: > http://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. If you can get a patch fixing this I could take care of the rest given there's not a very tight timing to LTS release. Is that acceptable to you? > Thank you very much. > > Ben Hutchings, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > > -- > Ben Hutchings - Debian developer, member of Linux kernel and LTS teams best regards, -- Ricardo Mones ~ Datei nicht gefunden Fehler 404
Attachment:
signature.asc
Description: Digital signature