Bug#699591: exim4 upload to stable (dovecot stability / and optionally spf quoting)
On Sun, 2013-02-24 at 14:58 +0100, Andreas Metzler wrote:
> On 2013-02-17 "Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:
> > Apologies for the delay in getting back to you about this.
>
> no worries.
and very much so again. :-(
> > On Sat, 2013-02-02 at 09:34 +0100, Andreas Metzler wrote:
> > > | Dovecot: robustness; better msg on missing mech.
> > [...]
> >> This fixes an exim segfault when accessing a malicious dovecot AUTH
> >> server. I have already talked with the security team, Moritz agrees
> >> that this should be fixed in a point release. Testing already has the
> >> fix since 4.80-6.
>
> > The patch includes "TESTED: works against Dovecot 2.1.10", but stable
> > has 1.2.15. Do we know if the patch has been tested against stable?
>
> Hello,
>
> I have just setup a test system in my squeeze chroot, using dovecot
> with passdb passwd-file as authentication source. It worked for me. I
> have tried AUTH PLAIN, CRAM-MD5 and DIGEST-MD5.
>
> However I do not know whether any systematic testing was done.
>
> >> On top of this I would like to discuss whether it is acceptable to fix
> >> http://bugs.debian.org/697057 in stable, too. [ I definitily want o
> >> get the fix into testing - #697444.] The Debian configuration
> >> optionally allows to use spfquery to run SPF-checks on incoming mail.
> >> Due to insufficient quoting it is possible to pass on arbitrary
> >> arguments to spfquery and therefore bypass SPF checks. The fix is not
> >> invasive, but it changes dpkg conffiles.
We're now within a few days of closing uploads for the final point
release of squeeze. Is this still something you'd like to fix there?
Regards,
Adam
Reply to: