Bug#1069690: bookworm-pu: package libkf5ksieve/4:22.12.3-1+deb12u1
Hi Patrick,
On Mon, Apr 22, 2024 at 09:36:54PM +0200, Patrick Franz wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: deltaone@debian.org
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> There is a bug in libkf5sieve where the password instead of the
> username is sent when using managesieve and could therefore be
> logged on a server as the login will fail.
>
> [ Impact ]
> Potentially sensitive passwords are logged on a server.
>
> [ Tests ]
> Affected user has successfully tested the patched version.
>
> [ Risks ]
> The patch is trivial (1 line is changed) and it's quite obvious
> that it was a bug in the first place.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in (old)stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> 1-line patch to fix the bug.
> diffstat for libkf5ksieve-22.12.3 libkf5ksieve-22.12.3
As it is not yet uploaded for bookworm, you might add as well the CVE
id reference in the changelog: CVE-2023-52723 .
p.s.: I think you can take advantage of the improved workflow for this
specific one, if you are sure the package will be accepted as it is
from SRM, you can with the proposed update bug filling, along as well
already do the upload.
(but note, just commenting this with no authrotiy speaking, as not
part of the release team)
Regards,
Salvatore
Reply to: