On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso <carnil@debian.org> wrote:
Hi Roberto,
On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote:
On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
[note: I am not subscribed to debian-security; please keep me or
debian-lts addressed on replies]
If this seems like a sensible approach, I propose to apply the attached
patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
to create version 8:2007f~dfsg-6 for upload to sid and eventual
inclusion in stretch (perhaps via a point release) and then also in
parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
Please reply with your comments. In particular, feedback from the
security team on the appropriateness of this for a stable point release
and my suggested route for the update to take to get there would be very
useful.
Hi all,
Since Tomas and Ola have reviewed the patch and we have had some
discussion which makes it seem like this is the most sensible approach
to the vulnerability given the constraints, I wonder if the Security
team could weigh in.
I have forwarded my initial message and the patch to Magnus Holngren
(the uw-imap maintainer) and also added him as a recipient of this
message, as he may wish to be the one to upload to unstable and
coordinate the future point release inclusion.
I ask for some indication now from the security team and/or the
maintainer since I don't think it makes sense to fix this only in jessie
and not in stretch/buster/sid.
There is an alternative approach wich was raised by Magnus in the
respective bug: https://bugs.debian.org/914632#12 (and see followup
from Moritz).
Regards,
Salvatore