Re: Please update courier security tracker information

To: debian-security-tracker@lists.debian.org
Subject: Re: Please update courier security tracker information
From: Soren Stoutner <soren@debian.org>
Date: Thu, 12 Jun 2025 11:39:24 -0700
Message-id: <[🔎] 2706693.bgRvk7e4E5@soren-desktop>
In-reply-to: <[🔎] aEperH7ZuU8Nb5uD@eldamar.lan>
References: <[🔎] 1914501.R1toDxpfAE@soren-desktop> <[🔎] aEperH7ZuU8Nb5uD@eldamar.lan>

On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore 
Bonaccorso wrote:
> Hi Soren,
> 
> On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote:
> > The security tracker for courier list two pieces of inaccurate 
information.
> > 
> > https://security-tracker.debian.org/tracker/source-package/courier
> > 
> > 1.  CVE-2004-2313 was fixed in Debian a long time ago.  I think this was 
not
> > auto-detected because SqWebMail uses a different version numbering scheme
> > than the source package it is built from.  CVE-2004-2313 affected 
SqWebMail
> > 3.4.1 through 3.6.1.  The current version in Debian is 6.2.9+1.4.1-2.
> > 
> > https://packages.debian.org/unstable/sqwebmail
> > 
> > 2.  It is unclear if CVE-2005-1308 was ever actually a security bug.  The
> > Debian bug report doesn’t think so.
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
> > 
> > The CVE submission doesn’t list any vulnerable or fixed versions, and all
> > the
> > links on the CVE are either dead or unuseful.
> > 
> > https://www.cve.org/CVERecord?id=CVE-2005-1308
> 
> Both are amrked unimportant for certain reasons. For the former if you
> have an exact fixed version where the fix landed in a unstable upload
> then we can update the metadata. Just adding a fixed version on latest
> is wrong.

CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7, 
which is newer than the last vulnerable version 3.6.1.

> The notes give some additional information on those historic CVEs.

CVE-2005-1308 was incorrectly filed as a security vulnerability, but on closer 
inspection the security vulnerability never existed.

The most significant part of the Debian bug report:

"Upon further discussion Florian confirmed that the URL is protected
by an HMAC. This bug can be closed."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575

My recommendation would be to remove CVE-2005-1308 from the security tracker 
as there never was a security vulnerability in SqWebMail related to it.

-- 
Soren Stoutner
soren@debian.org

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>

References:
- Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>
- Re: Please update courier security tracker information
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: Re: Please update courier security tracker information
Next by thread: Re: Please update courier security tracker information
Index(es):
- Date
- Thread