Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote:
> [note: I am not subscribed to debian-security; please keep me or
> debian-lts addressed on replies]
> If this seems like a sensible approach, I propose to apply the attached
> patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version)
> to create version 8:2007f~dfsg-6 for upload to sid and eventual
> inclusion in stretch (perhaps via a point release) and then also in
> parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie.
> Please reply with your comments. In particular, feedback from the
> security team on the appropriateness of this for a stable point release
> and my suggested route for the update to take to get there would be very
Since Tomas and Ola have reviewed the patch and we have had some
discussion which makes it seem like this is the most sensible approach
to the vulnerability given the constraints, I wonder if the Security
team could weigh in.
I have forwarded my initial message and the patch to Magnus Holngren
(the uw-imap maintainer) and also added him as a recipient of this
message, as he may wish to be the one to upload to unstable and
coordinate the future point release inclusion.
I ask for some indication now from the security team and/or the
maintainer since I don't think it makes sense to fix this only in jessie
and not in stretch/buster/sid.
Roberto C. Sánchez