Bonaccorso, On Monday, June 30, 2025 10:58:37 PM Mountain Standard Time Soren Stoutner wrote: > On Monday, June 30, 2025 10:26:04 PM Mountain Standard Time Salvatore > > Bonaccorso wrote: > > Hi Soren, > > > > On Thu, Jun 12, 2025 at 11:39:24AM -0700, Soren Stoutner wrote: > > > On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore > > > > > > Bonaccorso wrote: > > > > Hi Soren, > > > > > > > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > > > > > The security tracker for courier list two pieces of inaccurate > > > > > > information. > > > > > > > > https://security-tracker.debian.org/tracker/source-package/courier > > > > > > > > > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this > > was > > > > not > > > > > > > > auto-detected because SqWebMail uses a different version numbering > > > > > scheme > > > > > than the source package it is built from. CVE-2004-2313 affected > > > > > > SqWebMail > > > > > > > > 3.4.1 through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2. > > > > > > > > > > https://packages.debian.org/unstable/sqwebmail > > > > > > > > > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. > > > > > The > > > > > Debian bug report doesn’t think so. > > > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > > > > > > > The CVE submission doesn’t list any vulnerable or fixed versions, and > > > > > all > > > > > the > > > > > links on the CVE are either dead or unuseful. > > > > > > > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308 > > > > > > > > Both are amrked unimportant for certain reasons. For the former if you > > > > have an exact fixed version where the fix landed in a unstable upload > > > > then we can update the metadata. Just adding a fixed version on latest > > > > is wrong. > > > > > > CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail > > 4.0.7, > > > > which is newer than the last vulnerable version 3.6.1. > > > > This is quite unlikely if you compare the changes between 0.47-2 and > > 0.47-3 which only fixed a typo closing #276774. And furthermore we > > cannot and will not trust CVE description for version ranges as they > > may only reflect a known current state at a given point in time, > > sometimes they are accurate, sometimes they are not, so we need a > > clear evidence where the fix landed, then we can update the metadata. > > > > If not we err on the safe side. And again note that those CVEs are > > marked unimportant. > > > > If you can point me to the version change after SqWebMail 3.6.1 > > implementing the said security feature in the NOTE we can try to take > > an effort to correct this historic metadata. > > When I wrote the above I was indicating that 0.47-3 was the first fixed > version that I can verify shipped in Debian. This came from: > > https://snapshot.debian.org/binary/sqwebmail/ > > This is so long ago that the information about the old packages is sporadic as > it jumps from 0.37.3-2.9 to 0.47-3. So, perhaps my previous email should > have more accurately said that the fix landed sometime between 0.37.3-2.9 and > 0.47-3, but for certain it was contained in 0.47-3. > > This can be seen by downloading both packages and looking at the details > inside them. > > 0.37.3-2.9: > > /usr/share/doc/sqwebmail/changelog.gz shows that this shipped SqWebMail 3.3.2, > released on 2002-02-25 > > This version was not affected by the CVE, as it was introduced in version > 3.4.1. Presumably, Debian at one time did ship an affected version, probably > only in testing and unstable, but this is not preserved on > snapshot.debian.org. > > 0.47-3: > > /usr/share/doc/sqwebmail.changelog.gz shows that this shipped a version of > SqWebMail three commits past 4.0.7, dated 2004-09-02. This includes the fixed > version of 3.6.1 > > The commit history on GitHub doesn’t go back that far, because it didn’t exist > as a project on GitHub in 2003 (GitHub wasn’t even founded until 2008). So, > it is hard to know exactly what was changed in each commit. > > https://github.com/svarshavchik/courier > > But it appears this commit from 2003-10-10 described in the 0.47-3 changelog > is what fixed the CVE: > > "sqwebmail.c (error3): More informative error messages.” > > This tracks with the description of the CVE: > > Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for > incorrect passwords versus correct passwords on non-mail-enabled accounts > (such as root), which allows remote attackers to guess the root password via > brute force attacks. > > Note that the CVE was filed in 2004, after the fix had already been applied to > the source in 2003. This was why the person filing the CVE could confidently > include the first and last affected version at the time of the filing. Do you have any further questions about the additional information I provided in the previous email? -- Soren Stoutner soren@debian.org
Attachment:
signature.asc
Description: This is a digitally signed message part.