Bug#922345: marked as done (msmtp: CVE-2019-8337)

[Debian Bug Tracking System]

Your message dated Fri, 15 Feb 2019 11:50:32 +0000
with message-id <e1guc0m-0006e7...@fasolo.debian.org>
and subject line Bug#922345: fixed in msmtp 1.8.3-1
has caused the Debian Bug report #922345,
regarding msmtp: CVE-2019-8337
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
922345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922345
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: msmtp
Version: 1.8.2-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for msmtp.

CVE-2019-8337[0]:
| In msmtp 1.8.2, when tls_trust_file has its default configuration,
| certificate-verification results are not properly checked.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-8337
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8337
[1] https://marlam.de/msmtp/news/
[2] 
https://gitlab.marlam.de/marlam/msmtp/commit/a81d0a5126304f9f8b29a75d058044dc67d07663

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: msmtp
Source-Version: 1.8.3-1

We believe that the bug you reported is fixed in the latest version of
msmtp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kol...@debian.org> (supplier of updated msmtp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Feb 2019 10:52:11 +0000
Source: msmtp
Binary: msmtp msmtp-dbgsym msmtp-gnome msmtp-gnome-dbgsym msmtp-mta 
msmtp-mta-dbgsym
Architecture: source amd64
Version: 1.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Emmanuel Bouthenot <kol...@debian.org>
Changed-By: Emmanuel Bouthenot <kol...@debian.org>
Description:
 msmtp      - light SMTP client with support for server profiles
 msmtp-gnome - light SMTP client with support for server profiles - with GNOME k
 msmtp-mta  - light SMTP client with support for server profiles - the regular
Closes: 883349 922345
Changes:
 msmtp (1.8.3-1) unstable; urgency=medium
 .
   [ Emmanuel Bouthenot ]
   * New upstream release
     * Fix CVE-2019-8337 : improper certificate verification when
       tls_trust_file=system (Closes: #922345)
 .
   [ Simon Deziel ]
   * Add/delete msmtp user/group on install/purge
   * Make msmtp's binary execute as msmtp group (setgid)
    - This allow restricting access to /etc/msmtprc (Closes: 883349)
Checksums-Sha1:
 a0d4c11a404970a7e73fbbce7f4cb38285090d27 1978 msmtp_1.8.3-1.dsc
 1e44836b56133251155c34144ff186c2a3a7780d 260469 msmtp_1.8.3.orig.tar.gz
 30501a39ad8109395261d1a57610829d1a198a54 17776 msmtp_1.8.3-1.debian.tar.xz
 ec34695112ce20729b3b5cd82d3de1e1565074e9 109660 msmtp-dbgsym_1.8.3-1_amd64.deb
 6ba90f9adc9b2fe13915224e7b8162ec1e84763b 113372 
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
 1fc18f430b23dcdf57a154a42df041fe9085bf54 45792 msmtp-gnome_1.8.3-1_amd64.deb
 6af3d47181cca43808c42abd4ba95815ba31ec1e 14208 
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
 8e19610b2603af61a03d55c1a44bcd8eec371f5b 19148 msmtp-mta_1.8.3-1_amd64.deb
 c26f2e0f714cc52b55db14d7d512a049a8fcfac3 9160 msmtp_1.8.3-1_amd64.buildinfo
 6dabf609d135982f646935b77f01e4477725b714 136808 msmtp_1.8.3-1_amd64.deb
Checksums-Sha256:
 b967e33396c5278ebeb5a587866742c11f0f7c3c3f36f3d94b10949bce23166f 1978 
msmtp_1.8.3-1.dsc
 96abf247360f66b4a6c368448ea4191d0c7f05a350b54aa0d70c839a0f1560a5 260469 
msmtp_1.8.3.orig.tar.gz
 af2f7a7cf07dfe4af15dbdea1527ae4e75dc9fe39b56d247aa6420006cb37c93 17776 
msmtp_1.8.3-1.debian.tar.xz
 918fd8141ddf86d3af6f0af332b169a28786a1319f0d3f4870739586a51a94df 109660 
msmtp-dbgsym_1.8.3-1_amd64.deb
 a34c64334a5f25c02821be474c10d1df316106922a5090ac5cf32950c5509e8a 113372 
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
 bff1c1a874dc411acb381f519e30788466b7c1e14931d92e29d53fd9f3cc8d2e 45792 
msmtp-gnome_1.8.3-1_amd64.deb
 f74787c426d17ec9411d50baf47342fdd6d84a25660ea9be8e1ee259e845742f 14208 
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
 5ac273bb4166d82a3411f3345e7f88956e8b30c17b02ef6aab5b0b9aa32397be 19148 
msmtp-mta_1.8.3-1_amd64.deb
 e2cdc71977aec1c9398bb3a15a5cd6929ff54bf96c732f5c8b876e905b42fdd7 9160 
msmtp_1.8.3-1_amd64.buildinfo
 9fba6b8a672b31b8572995ea5866934ff172b4a3a0e7d913891088722beb3a8c 136808 
msmtp_1.8.3-1_amd64.deb
Files:
 cda21644776f5290b7f755cb8fe27559 1978 mail optional msmtp_1.8.3-1.dsc
 6e0cac4cf649a81af32b6f90fcf72423 260469 mail optional msmtp_1.8.3.orig.tar.gz
 a13048bbc585cc7305d2f81791871812 17776 mail optional 
msmtp_1.8.3-1.debian.tar.xz
 d74f6b62677f857a98206ab4627521be 109660 debug optional 
msmtp-dbgsym_1.8.3-1_amd64.deb
 31999d321e2fdbbdebb429216188706e 113372 debug optional 
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
 a3dcdd5b330bb26ac152c61f1003eb56 45792 mail optional 
msmtp-gnome_1.8.3-1_amd64.deb
 85e4e3a84b70475541e143f71e67b9f3 14208 debug optional 
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
 176e1aa80adeda5d8999f6bd804f6bc6 19148 mail optional 
msmtp-mta_1.8.3-1_amd64.deb
 afeea3b4e376b7b52b5960a072d5daff 9160 mail optional 
msmtp_1.8.3-1_amd64.buildinfo
 358d32e8a9bca728705e407d35306d3a 136808 mail optional msmtp_1.8.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQ1Tfow3vJnf8QuHSwd3I5KdQsMFAlxmoYAACgkQSwd3I5Kd
QsMmORAAgRHuVaXeXY2polM/En9JiQIwZMgkV0jekdcxy2nQbQXDqo2coOF8G/pU
7pA5XLQmMDoQ6vRrqi1BNNG0avFr0PgOZWi+Ul2kdIV1l4ZKOlVe3XlBMEK/D1ob
XfZctT6VkigsEmBZNQ6K66mbeLJWMnBxVhZGlWqjXN7+Phl3fczOPGNLGmK2coWY
cyCFk66rFYwcrL47jzd+l6Im5S/IaSjoLJfhLpfiE4lO0Zcr+9Npo/cE/i+jLD4a
O3JPqwK+RkJ+eH0kY7/oQd5Sr3EfJ2F8BaUkk62owc8bMG8aH6BCCFoaquO4Bt7d
+BxTWq3SRwiG7G51Vzo1hxuQ20gUstD3V5XlesuB1+RqY0cEozBzVKrUCmy8VYEk
moJdKCxT168kbLgDt4Y5SXHnDj8MECwlat7o0PE1l5gRUxHaloi2CXSTdG+nL+XF
yXvYi0qwqFR/MVuwoiSFhR5v66RmbWJvvfqDNc0rnqjeLKLHOM4y9lU8HGTiVC7l
BzmDVM+vO384NNYCesTCHmOIceLmh6Y7ISkVmJLorAWso+lqidXUvgFbF/gp5ML3
7yctC3PlJjog3QoQUNscQxfOkB10xxIyF8RkMcgtf1e+yMytpngGgthu6iOSB1aO
GSriVJl1dwoaPK7WWq0SOtnBUuKo0fRlJQrlAn3Z6UmjBIME4IY=
=zEAC
-----END PGP SIGNATURE-----

--- End Message ---