Your message dated Sat, 25 Nov 2023 16:14:09 +0100 with message-id <ZWIPQZFXr9qlYjw6@isildor2.loewenhoehle.ip> and subject line Re: Bug#1056285: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter has caused the Debian Bug report #1056285, regarding RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1056285: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056285 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
- From: David Bürgin <dbuergin@gluet.ch>
- Date: Sun, 19 Nov 2023 21:30:22 +0100
- Message-id: <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch>
Package: sponsorship-requests Severity: normal Dear mentors, I am looking for a sponsor for my package "opendkim": * Package name : opendkim Version : 2.11.0~beta2-9 Upstream contact : The Trusted Domain Project * URL : http://www.opendkim.org/ * License : BSD-3-clause and SOSL, ISC, GPL-3+ with AutoConf exception * Vcs : https://salsa.debian.org/debian/opendkim Section : mail The source builds the following binary packages: opendkim - DomainKeys Identified Mail (DKIM) signing and verifying milter opendkim-tools - utilities for administering the OpenDKIM milter libopendkim11 - DomainKeys Identified Mail (DKIM) library libopendkim-dev - DomainKeys Identified Mail (DKIM) library (development files) libvbr2 - Vouch By Reference (VBR) library libvbr-dev - Vouch By Reference (VBR) library (development files) librbl1 - Real-time Blacklist (RBL) query library librbl-dev - Real-time Blacklist (RBL) query library (development files) miltertest - utility for testing milter applications To access further information about this package, please visit the following URL: https://mentors.debian.net/package/opendkim/ Alternatively, you can download the package with 'dget' using this command: dget -x https://mentors.debian.net/debian/pool/main/o/opendkim/opendkim_2.11.0~beta2-9.dsc Changes since the last upload: opendkim (2.11.0~beta2-9) unstable; urgency=medium . [ David Bürgin ] * debian/patches: Add missing upstream bug metadata, add new patches: - rev-ares-deletion.patch: Delete Authentication-Results headers in reverse, addresses CVE-2022-48521 (Closes: #1041107). - ares-missing-space.patch: Add missing space in Auth-Results header. * Replace transitional libldap2-dev with libldap-dev in Build-Depends. * Remove obsolete lsb-base dependency in opendkim package. * Delete obsolete entries in debian/opendkim.NEWS. . [ Samuel Thibault ] * d/rules: Generalize hurd-i386 into hurd. Thank you. -- David
--- End Message ---
--- Begin Message ---
- To: David Bürgin <dbuergin@gluet.ch>, 1056285-done@bugs.debian.org
- Subject: Re: Bug#1056285: RFS: opendkim/2.11.0~beta2-9 -- DomainKeys Identified Mail (DKIM) signing and verifying milter
- From: Tobias Frost <tobi@debian.org>
- Date: Sat, 25 Nov 2023 16:14:09 +0100
- Message-id: <ZWIPQZFXr9qlYjw6@isildor2.loewenhoehle.ip>
- In-reply-to: <[🔎] ZWILYQj+5JwKJuht@gluet.ch>
- References: <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZWII3P3kM1xbnvkH@isildor2.loewenhoehle.ip> <[🔎] ZVpwXiJZ6K2IVX9P@gluet.ch> <[🔎] ZWILYQj+5JwKJuht@gluet.ch>
On Sat, Nov 25, 2023 at 03:57:37PM +0100, David Bürgin wrote: > Control: tags -1 - moreinfo > > Hello Tobi, > > > A question to that: Can you elaborate a bit on the testing you have > > done to verify that this patch indeed fixes the vulnerability? > > (Asking, becasue unfortunatly there is not lot of information available > > e.g from the upstream issue and upstream seems to be generally very > > silent… > > I developed the upstream patch, and so did do the necessary testing > locally. You can simply prepare a crafted message containing some > Authentication-Results headers and then see if the right ones get > deleted. Thanks for confirming! And thanks for fixing the issue! > > Said that, if we have a high confidence in this patch, this fix should > > also propagate to stable (via stable-proposed-updates) and oldstable. > > I'm happy to sponsor such uploads. > > I don’t know if I will have the energy to do a stable update, though. Ok, fair enough. I just wanted to avoid stealing your kudos ;-) I'll take care about stable / oldstable then ;) > > Except the information request, this package is ready to be sponsored, > > and I will do so once the me-being-paranoid-question has been answered > > ;-) > > Thank you for your interest! Thanks for your contributions to Debian! (IOW uploaded) > Ciao, > DavidAttachment: signature.asc
Description: PGP signature
--- End Message ---