On Tue, Dec 26, 2023 at 08:52:21PM +0530, Nilesh Patra wrote:
On 12/26/2023 8:01 PM IST Alberto Bertogli <[email protected]> wrote:
Hi!
I updated package chasquid to the latest upstream version, 1.13.
https://salsa.debian.org/go-team/packages/chasquid/
Can someone please review the changes and upload?
There are no changes to the Debian package, it is just a merge with upstream's
new release, and got no new complaints from lintian.
Uploaded, thank you!
Thanks!
This release includes a fix for a newly discovered SMTP attack (SMTP
smuggling). Full changelog at
https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24.
Please let me know if you have any questions or comments!
Would it be possible to backport the SMTP smuggling patch to current chasquid
stable version?
IMHO security vulnerabilities like this warrant a p-u[1]
Sure!
Upstream-wise, I tagged v1.11.1 with a backport of the fix. There are 3
patches: 2 of them backports of small changes to testing infrastructure,
and then the 3rd patch is the backport of the fix (the tests for the fix
reply on the other 2).
https://blitiri.com.ar/git/r/chasquid/c/d4346efb024e0ebc79295bb5cae4efca81c5dc1f/
https://github.com/albertito/chasquid/tree/v1.11.1
Unfortunately I will be with minimal connectivity for the next couple of
weeks, so I won't be able to do the Debian side of this (I'm not
familiar with the backporting to stable part so it would take me more
time to figure out).
But I hope this helps if anyone can do the Debian backport part.
Otherwise, I will give it a try on the second half of January.
Thanks a lot!
Alberto
