On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore Bonaccorso wrote: > Hi Soren, > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > > The security tracker for courier list two pieces of inaccurate information. > > > > https://security-tracker.debian.org/tracker/source-package/courier > > > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this was not > > auto-detected because SqWebMail uses a different version numbering scheme > > than the source package it is built from. CVE-2004-2313 affected SqWebMail > > 3.4.1 through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2. > > > > https://packages.debian.org/unstable/sqwebmail > > > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. The > > Debian bug report doesn’t think so. > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > The CVE submission doesn’t list any vulnerable or fixed versions, and all > > the > > links on the CVE are either dead or unuseful. > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308 > > Both are amrked unimportant for certain reasons. For the former if you > have an exact fixed version where the fix landed in a unstable upload > then we can update the metadata. Just adding a fixed version on latest > is wrong. CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7, which is newer than the last vulnerable version 3.6.1. > The notes give some additional information on those historic CVEs. CVE-2005-1308 was incorrectly filed as a security vulnerability, but on closer inspection the security vulnerability never existed. The most significant part of the Debian bug report: "Upon further discussion Florian confirmed that the URL is protected by an HMAC. This bug can be closed." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 My recommendation would be to remove CVE-2005-1308 from the security tracker as there never was a security vulnerability in SqWebMail related to it. -- Soren Stoutner soren@debian.org
Attachment:
signature.asc
Description: This is a digitally signed message part.