Bug#944348: buster-pu: package schleuder/3.4.0-2+deb10u1
Control: tag -1 confirmed
On Fri, Nov 08, 2019 at 10:57:51AM +0000, Georg Faerber wrote:
> Schleuder in buster is affected by various problems, which I would like to fix
> with this proposed update:
>
> - Schleuder fails to recognize keywords in mails with "protected headers" and
> empty subject.
> (Ref: #940524)
>
> - Schleuder is vulnerable to signature-flooded keys. GPG does not cope well
> with these keys. It will either refuse to import them, or during and after
> the import become so slow to be effectively unusable (while hogging CPUs).
> By default keys are regularly updated from the keyservers (in order to
> receive extended expiry dates, or key revocations). Any list with an
> attacked key in its keyring will become practically unusable and strain the
> server. This is a rather severe problem.
> (Ref: #940526)
>
> - Schleuder doesn't report an error, if the argument provided to
> `refresh_keys` is not an existing list, as if the job ran successfully.
> (Ref: #940527)
>
> All of them are already fixed in unstable. The proposed version is in
> use and was tested in production for the last two weeks.
>
That looks fine to me. Go ahead.
Cheers,
Julien
Reply to: