[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#699591: exim4 upload to stable (dovecot stability / and optionally spf quoting)



Hi,

Apologies for the delay in getting back to you about this.

On Sat, 2013-02-02 at 09:34 +0100, Andreas Metzler wrote:
> | Dovecot: robustness; better msg on missing mech.
[...]
> This fixes an exim segfault when accessing a malicious dovecot AUTH
> server. I have already talked with the security team, Moritz agrees
> that this should be fixed in a point release. Testing already has the
> fix since 4.80-6.

The patch includes "TESTED: works against Dovecot 2.1.10", but stable
has 1.2.15. Do we know if the patch has been tested against stable?

> On top of this I would like to discuss whether it is acceptable to fix
> http://bugs.debian.org/697057 in stable, too. [ I definitily want o
> get the fix into testing - #697444.] The Debian configuration
> optionally allows to use spfquery to run SPF-checks on incoming mail.
> Due to insufficient quoting it is possible to pass on arbitrary
> arguments to spfquery and therefore bypass SPF checks. The fix is not
> invasive, but it changes dpkg conffiles.

I've been arguing with myself a little over this one. Is it worth a
comment preceding the new version of the changes to make it more obvious
to anyone looking at the diff during an upgrade why the quoting was
added?

Presumably anyone performing a non-interactive upgrade won't get the
changes, but that doesn't seem so bad in this case.

Regards,

Adam


Reply to: