Re: Please update courier security tracker information

To: Soren Stoutner <soren@debian.org>, debian-security-tracker@lists.debian.org
Subject: Re: Please update courier security tracker information
From: Soren Stoutner <soren@debian.org>
Date: Mon, 25 Aug 2025 21:42:26 -0700
Message-id: <[🔎] 11047588.zapYfy813O@soren-desktop>
In-reply-to: <[🔎] aK02FJAPFFIWNQLl@eldamar.lan>
References: <1914501.R1toDxpfAE@soren-desktop> <[🔎] 1894834.QZUTf85G27@soren-desktop> <[🔎] aK02FJAPFFIWNQLl@eldamar.lan>

On Monday, August 25, 2025 9:20:36 PM Mountain Standard Time Salvatore 
Bonaccorso wrote:
> On Mon, Aug 25, 2025 at 05:56:10PM -0700, Soren Stoutner wrote:
> > On Friday, August 22, 2025 8:48:56 AM Mountain Standard Time Moritz
> > Mühlenhoff> 
> > wrote:
> > > Thanks for folllowing up. I've used 0.44.2-1 as the fixed version given
> > > that
> > > sqwebmail 3.6.1 was released 2003-10-30 and 0.44.2 was the following
> > > release
> > > uploaded to sid.
> > 
> > Thank you for doing that.
> > 
> > How do you propose we deal with CVE-2005-1308, which was a false positive
> > and was never actually a security vulnerability in Courier?
> 
> Keeping as it is as upstream has commented on
> https://github.com/svarshavchik/courier/issues/61 with "Still, I'm
> going to proactively close the books on this topic, in a future
> release which will take care of this last dangling bit."?
> 
> Please do understand as well the following: The CVE is for reasons
> marked "unimportant". So while considered unfixed in the tracker it is
> completely in another category,  because marked unimprtant, with a
> negligible or non-exploitable vector.
> 
> Upstream has commented on this issue extensively in above issue.

1.  Upstream’s statement was that CVE-2005-1308 was never a vulnerability.

"As far as CVE-2005-1308 goes, I don't recall discussing it with anyone (but I 
have a very dim, dim memory that I might've, just might've). After doing some 
(re-?)investigation myself, I concluded that there is *no exploitable 
vulnerability*, and *this is a nothing-burger*”

2.  Upstream stated that he intends to harden the program in ways that will 
make other vulnerabilities more difficult, but this has nothing to do with 
CVE-2005-1308.

"Still, I'm going to proactively close the books on this *topic*, in a future 
release which will take care of this last dangling bit.”

3.  The security tracker has the following text on its website:

Bug:  CVE-2005-1308
bullseye:  vulnerable
bookworm:  vulnerable
trixie:  vulnerable
forky:  vulnerable
sid:  vulnerable

All of the above statements are factually inaccurate.  None of these releases 
are vulnerable to CVE-2005-1308.

I understand that this is marked as unimportant, but it is important to me 
that the security tracker does not make factually inaccurate statements of any 
kind.

-- 
Soren Stoutner
soren@debian.org

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Re: Please update courier security tracker information
  - From: Soren Stoutner <soren@debian.org>
- Re: Please update courier security tracker information
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Please update courier security tracker information
Next by Date: External check
Previous by thread: Re: Please update courier security tracker information
Index(es):
- Date
- Thread