Re: Please update courier security tracker information

To: Soren Stoutner <soren@debian.org>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: Please update courier security tracker information
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 Jul 2025 07:26:04 +0200
Message-id: <[🔎] aGNxbIexaNYr4EsG@eldamar.lan>
Mail-followup-to: Soren Stoutner <soren@debian.org>, debian-security-tracker@lists.debian.org
In-reply-to: <2706693.bgRvk7e4E5@soren-desktop>
References: <1914501.R1toDxpfAE@soren-desktop> <aEperH7ZuU8Nb5uD@eldamar.lan> <2706693.bgRvk7e4E5@soren-desktop>

Hi Soren,

On Thu, Jun 12, 2025 at 11:39:24AM -0700, Soren Stoutner wrote:
> On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore 
> Bonaccorso wrote:
> > Hi Soren,
> > 
> > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote:
> > > The security tracker for courier list two pieces of inaccurate 
> information.
> > > 
> > > https://security-tracker.debian.org/tracker/source-package/courier
> > > 
> > > 1.  CVE-2004-2313 was fixed in Debian a long time ago.  I think this was 
> not
> > > auto-detected because SqWebMail uses a different version numbering scheme
> > > than the source package it is built from.  CVE-2004-2313 affected 
> SqWebMail
> > > 3.4.1 through 3.6.1.  The current version in Debian is 6.2.9+1.4.1-2.
> > > 
> > > https://packages.debian.org/unstable/sqwebmail
> > > 
> > > 2.  It is unclear if CVE-2005-1308 was ever actually a security bug.  The
> > > Debian bug report doesn’t think so.
> > > 
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575
> > > 
> > > The CVE submission doesn’t list any vulnerable or fixed versions, and all
> > > the
> > > links on the CVE are either dead or unuseful.
> > > 
> > > https://www.cve.org/CVERecord?id=CVE-2005-1308
> > 
> > Both are amrked unimportant for certain reasons. For the former if you
> > have an exact fixed version where the fix landed in a unstable upload
> > then we can update the metadata. Just adding a fixed version on latest
> > is wrong.
> 
> CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7, 
> which is newer than the last vulnerable version 3.6.1.

This is quite unlikely if you compare the changes between 0.47-2 and
0.47-3 which only fixed a typo closing #276774. And furthermore we
cannot and will not trust CVE description for version ranges as they
may only reflect a known current state at a given point in time,
sometimes they are accurate, sometimes they are not, so we need a
clear evidence where the fix landed, then we can update the metadata.

If not we err on the safe side. And again note that those CVEs are
marked unimportant.

If you can point me to the version change after SqWebMail 3.6.1
implementing the said security feature in the NOTE we can try to take
an effort to correct this historic metadata.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>

Next by Date: Re: Please update courier security tracker information
Next by thread: Re: Please update courier security tracker information
Index(es):
- Date
- Thread