Re: Please update courier security tracker information
Hi Soren,
On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote:
> The security tracker for courier list two pieces of inaccurate information.
>
> https://security-tracker.debian.org/tracker/source-package/courier
>
> 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this was not
> auto-detected because SqWebMail uses a different version numbering scheme than
> the source package it is built from. CVE-2004-2313 affected SqWebMail 3.4.1
> through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2.
>
> https://packages.debian.org/unstable/sqwebmail
>
> 2. It is unclear if CVE-2005-1308 was ever actually a security bug. The
> Debian bug report doesn’t think so.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
>
> The CVE submission doesn’t list any vulnerable or fixed versions, and all the
> links on the CVE are either dead or unuseful.
>
> https://www.cve.org/CVERecord?id=CVE-2005-1308
Both are amrked unimportant for certain reasons. For the former if you
have an exact fixed version where the fix landed in a unstable upload
then we can update the metadata. Just adding a fixed version on latest
is wrong.
The notes give some additional information on those historic CVEs.
Regards,
Salvatore
Reply to: