Re: Please update courier security tracker information
On Mon, Aug 25, 2025 at 05:56:10PM -0700, Soren Stoutner wrote:
> On Friday, August 22, 2025 8:48:56 AM Mountain Standard Time Moritz Mühlenhoff
> wrote:
> > Thanks for folllowing up. I've used 0.44.2-1 as the fixed version given that
> > sqwebmail 3.6.1 was released 2003-10-30 and 0.44.2 was the following release
> > uploaded to sid.
>
> Thank you for doing that.
>
> How do you propose we deal with CVE-2005-1308, which was a false positive and was
> never actually a security vulnerability in Courier?
Keeping as it is as upstream has commented on
https://github.com/svarshavchik/courier/issues/61 with "Still, I'm
going to proactively close the books on this topic, in a future
release which will take care of this last dangling bit."?
Please do understand as well the following: The CVE is for reasons
marked "unimportant". So while considered unfixed in the tracker it is
completely in another category, because marked unimprtant, with a
negligible or non-exploitable vector.
Upstream has commented on this issue extensively in above issue.
Regards,
Salvatore
Reply to: