Re: Please update courier security tracker information

To: debian-security-tracker@lists.debian.org
Subject: Re: Please update courier security tracker information
From: Soren Stoutner <soren@debian.org>
Date: Mon, 30 Jun 2025 14:27:39 -0700
Message-id: <[🔎] 17172257.geO5KgaWL5@soren-desktop>
In-reply-to: <[🔎] 2706693.bgRvk7e4E5@soren-desktop>
References: <[🔎] 1914501.R1toDxpfAE@soren-desktop> <[🔎] aEperH7ZuU8Nb5uD@eldamar.lan> <[🔎] 2706693.bgRvk7e4E5@soren-desktop>

Salvatore,

On Thursday, June 12, 2025 11:39:24 AM Mountain Standard Time Soren Stoutner 
wrote:
> On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore
> 
> Bonaccorso wrote:
> > Hi Soren,
> > 
> > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote:
> > > The security tracker for courier list two pieces of inaccurate
> 
> information.
> 
> > > https://security-tracker.debian.org/tracker/source-package/courier
> > > 
> > > 1.  CVE-2004-2313 was fixed in Debian a long time ago.  I think this was
> 
> not
> 
> > > auto-detected because SqWebMail uses a different version numbering 
scheme
> > > than the source package it is built from.  CVE-2004-2313 affected
> 
> SqWebMail
> 
> > > 3.4.1 through 3.6.1.  The current version in Debian is 6.2.9+1.4.1-2.
> > > 
> > > https://packages.debian.org/unstable/sqwebmail
> > > 
> > > 2.  It is unclear if CVE-2005-1308 was ever actually a security bug.  
The
> > > Debian bug report doesn’t think so.
> > > 
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
> > > 
> > > The CVE submission doesn’t list any vulnerable or fixed versions, and 
all
> > > the
> > > links on the CVE are either dead or unuseful.
> > > 
> > > https://www.cve.org/CVERecord?id=CVE-2005-1308
> > 
> > Both are amrked unimportant for certain reasons. For the former if you
> > have an exact fixed version where the fix landed in a unstable upload
> > then we can update the metadata. Just adding a fixed version on latest
> > is wrong.
> 
> CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7,
> which is newer than the last vulnerable version 3.6.1.
> 
> > The notes give some additional information on those historic CVEs.
> 
> CVE-2005-1308 was incorrectly filed as a security vulnerability, but on 
closer
> inspection the security vulnerability never existed.
> 
> The most significant part of the Debian bug report:
> 
> "Upon further discussion Florian confirmed that the URL is protected
> by an HMAC. This bug can be closed."
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
> 
> My recommendation would be to remove CVE-2005-1308 from the security tracker
> as there never was a security vulnerability in SqWebMail related to it.

Did you have any further questions about the above information?

-- 
Soren Stoutner
soren@debian.org

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>
- Re: Please update courier security tracker information
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>

Prev by Date: External check
Previous by thread: Re: Please update courier security tracker information
Next by thread: CVE-2025-4517 Python 3.10
Index(es):
- Date
- Thread