Your message dated Fri, 15 Feb 2019 11:50:32 +0000
with message-id <e1guc0m-0006e7...@fasolo.debian.org>
and subject line Bug#922345: fixed in msmtp 1.8.3-1
has caused the Debian Bug report #922345,
regarding msmtp: CVE-2019-8337
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
922345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922345
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: msmtp
Version: 1.8.2-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for msmtp.
CVE-2019-8337[0]:
| In msmtp 1.8.2, when tls_trust_file has its default configuration,
| certificate-verification results are not properly checked.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-8337
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8337
[1] https://marlam.de/msmtp/news/
[2]
https://gitlab.marlam.de/marlam/msmtp/commit/a81d0a5126304f9f8b29a75d058044dc67d07663
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: msmtp
Source-Version: 1.8.3-1
We believe that the bug you reported is fixed in the latest version of
msmtp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bouthenot <kol...@debian.org> (supplier of updated msmtp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Feb 2019 10:52:11 +0000
Source: msmtp
Binary: msmtp msmtp-dbgsym msmtp-gnome msmtp-gnome-dbgsym msmtp-mta
msmtp-mta-dbgsym
Architecture: source amd64
Version: 1.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Emmanuel Bouthenot <kol...@debian.org>
Changed-By: Emmanuel Bouthenot <kol...@debian.org>
Description:
msmtp - light SMTP client with support for server profiles
msmtp-gnome - light SMTP client with support for server profiles - with GNOME k
msmtp-mta - light SMTP client with support for server profiles - the regular
Closes: 883349 922345
Changes:
msmtp (1.8.3-1) unstable; urgency=medium
.
[ Emmanuel Bouthenot ]
* New upstream release
* Fix CVE-2019-8337 : improper certificate verification when
tls_trust_file=system (Closes: #922345)
.
[ Simon Deziel ]
* Add/delete msmtp user/group on install/purge
* Make msmtp's binary execute as msmtp group (setgid)
- This allow restricting access to /etc/msmtprc (Closes: 883349)
Checksums-Sha1:
a0d4c11a404970a7e73fbbce7f4cb38285090d27 1978 msmtp_1.8.3-1.dsc
1e44836b56133251155c34144ff186c2a3a7780d 260469 msmtp_1.8.3.orig.tar.gz
30501a39ad8109395261d1a57610829d1a198a54 17776 msmtp_1.8.3-1.debian.tar.xz
ec34695112ce20729b3b5cd82d3de1e1565074e9 109660 msmtp-dbgsym_1.8.3-1_amd64.deb
6ba90f9adc9b2fe13915224e7b8162ec1e84763b 113372
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
1fc18f430b23dcdf57a154a42df041fe9085bf54 45792 msmtp-gnome_1.8.3-1_amd64.deb
6af3d47181cca43808c42abd4ba95815ba31ec1e 14208
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
8e19610b2603af61a03d55c1a44bcd8eec371f5b 19148 msmtp-mta_1.8.3-1_amd64.deb
c26f2e0f714cc52b55db14d7d512a049a8fcfac3 9160 msmtp_1.8.3-1_amd64.buildinfo
6dabf609d135982f646935b77f01e4477725b714 136808 msmtp_1.8.3-1_amd64.deb
Checksums-Sha256:
b967e33396c5278ebeb5a587866742c11f0f7c3c3f36f3d94b10949bce23166f 1978
msmtp_1.8.3-1.dsc
96abf247360f66b4a6c368448ea4191d0c7f05a350b54aa0d70c839a0f1560a5 260469
msmtp_1.8.3.orig.tar.gz
af2f7a7cf07dfe4af15dbdea1527ae4e75dc9fe39b56d247aa6420006cb37c93 17776
msmtp_1.8.3-1.debian.tar.xz
918fd8141ddf86d3af6f0af332b169a28786a1319f0d3f4870739586a51a94df 109660
msmtp-dbgsym_1.8.3-1_amd64.deb
a34c64334a5f25c02821be474c10d1df316106922a5090ac5cf32950c5509e8a 113372
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
bff1c1a874dc411acb381f519e30788466b7c1e14931d92e29d53fd9f3cc8d2e 45792
msmtp-gnome_1.8.3-1_amd64.deb
f74787c426d17ec9411d50baf47342fdd6d84a25660ea9be8e1ee259e845742f 14208
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
5ac273bb4166d82a3411f3345e7f88956e8b30c17b02ef6aab5b0b9aa32397be 19148
msmtp-mta_1.8.3-1_amd64.deb
e2cdc71977aec1c9398bb3a15a5cd6929ff54bf96c732f5c8b876e905b42fdd7 9160
msmtp_1.8.3-1_amd64.buildinfo
9fba6b8a672b31b8572995ea5866934ff172b4a3a0e7d913891088722beb3a8c 136808
msmtp_1.8.3-1_amd64.deb
Files:
cda21644776f5290b7f755cb8fe27559 1978 mail optional msmtp_1.8.3-1.dsc
6e0cac4cf649a81af32b6f90fcf72423 260469 mail optional msmtp_1.8.3.orig.tar.gz
a13048bbc585cc7305d2f81791871812 17776 mail optional
msmtp_1.8.3-1.debian.tar.xz
d74f6b62677f857a98206ab4627521be 109660 debug optional
msmtp-dbgsym_1.8.3-1_amd64.deb
31999d321e2fdbbdebb429216188706e 113372 debug optional
msmtp-gnome-dbgsym_1.8.3-1_amd64.deb
a3dcdd5b330bb26ac152c61f1003eb56 45792 mail optional
msmtp-gnome_1.8.3-1_amd64.deb
85e4e3a84b70475541e143f71e67b9f3 14208 debug optional
msmtp-mta-dbgsym_1.8.3-1_amd64.deb
176e1aa80adeda5d8999f6bd804f6bc6 19148 mail optional
msmtp-mta_1.8.3-1_amd64.deb
afeea3b4e376b7b52b5960a072d5daff 9160 mail optional
msmtp_1.8.3-1_amd64.buildinfo
358d32e8a9bca728705e407d35306d3a 136808 mail optional msmtp_1.8.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQ1Tfow3vJnf8QuHSwd3I5KdQsMFAlxmoYAACgkQSwd3I5Kd
QsMmORAAgRHuVaXeXY2polM/En9JiQIwZMgkV0jekdcxy2nQbQXDqo2coOF8G/pU
7pA5XLQmMDoQ6vRrqi1BNNG0avFr0PgOZWi+Ul2kdIV1l4ZKOlVe3XlBMEK/D1ob
XfZctT6VkigsEmBZNQ6K66mbeLJWMnBxVhZGlWqjXN7+Phl3fczOPGNLGmK2coWY
cyCFk66rFYwcrL47jzd+l6Im5S/IaSjoLJfhLpfiE4lO0Zcr+9Npo/cE/i+jLD4a
O3JPqwK+RkJ+eH0kY7/oQd5Sr3EfJ2F8BaUkk62owc8bMG8aH6BCCFoaquO4Bt7d
+BxTWq3SRwiG7G51Vzo1hxuQ20gUstD3V5XlesuB1+RqY0cEozBzVKrUCmy8VYEk
moJdKCxT168kbLgDt4Y5SXHnDj8MECwlat7o0PE1l5gRUxHaloi2CXSTdG+nL+XF
yXvYi0qwqFR/MVuwoiSFhR5v66RmbWJvvfqDNc0rnqjeLKLHOM4y9lU8HGTiVC7l
BzmDVM+vO384NNYCesTCHmOIceLmh6Y7ISkVmJLorAWso+lqidXUvgFbF/gp5ML3
7yctC3PlJjog3QoQUNscQxfOkB10xxIyF8RkMcgtf1e+yMytpngGgthu6iOSB1aO
GSriVJl1dwoaPK7WWq0SOtnBUuKo0fRlJQrlAn3Z6UmjBIME4IY=
=zEAC
-----END PGP SIGNATURE-----
--- End Message ---