RE: RFC: proposed fix for CVE-2018-19518 in uw-imap
De : Roberto C. Sánchez <email@example.com>
Envoyé : samedi 29 décembre 2018 16:25
À : firstname.lastname@example.org; email@example.com; Debian Security Team <firstname.lastname@example.org>
Cc : email@example.com
Objet : Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> [note: I am not subscribed to debian-security; please keep me or
> debian-lts addressed on replies]
> If this seems like a sensible approach, I propose to apply the
> attached patch to uw-imap 8:2007f~dfsg-5 (the current
> stretch/buster/sid version) to create version 8:2007f~dfsg-6 for
> upload to sid and eventual inclusion in stretch (perhaps via a point
> release) and then also in parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> Please reply with your comments. In particular, feedback from the
> security team on the appropriateness of this for a stable point
> release and my suggested route for the update to take to get there
> would be very useful.
Since Tomas and Ola have reviewed the patch and we have had some discussion which makes it seem like this is the most sensible approach to the vulnerability given the constraints, I wonder if the Security team could weigh in.
I have forwarded my initial message and the patch to Magnus Holngren (the uw-imap maintainer) and also added him as a recipient of this message, as he may wish to be the one to upload to unstable and coordinate the future point release inclusion.
I ask for some indication now from the security team and/or the maintainer since I don't think it makes sense to fix this only in jessie and not in stretch/buster/sid.
Roberto C. Sánchez