Hi, On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote: > Hi Alberto, hi Nilesh, > > On Sun, Jan 21, 2024 at 05:03:42PM +0000, Alberto Bertogli wrote: > > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: > > > On Sun, Jan 21, 2024 at 03:37:11PM +0000, Alberto Bertogli wrote: > > > > There are 3 patches in this release: patches 1 and 2 are minor (but > > > > important) adjustments to tests, so that patch 3 that contains the fix > > > > can > > > > be tested at all. > > > > > > > > Applying just patch 3 would be nominally "minimal", but also fail > > > > tests. > > > > > > > > I would argue this is the minimal set of patches to fix the security > > > > release. > > > > > > > > That said, of course that is subjective, other alternative patches > > > > could be > > > > done instead; and I'm sure there's a lot of Debian-specific criteria, > > > > history, and processes that can be applied to make these decisions, > > > > which I > > > > lack. > > > > > > > > So I think at this point I rather leave this stable update to the Debian > > > > experts (which I am definitely not :). > > > > > > > > The patches are there, and please if you have any questions I can help > > > > with > > > > as upstream capacity, just let me know! > > > > > > As far as I understood and looked, there are just 3 patches in this > > > update which > > > seem to be needed to fix the SMTP smuggling vulnerability, right? > > > > That is correct. > > > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on > > top of 1.11: > > > > - Patch #1: test: Verify mailbox delivery in minor dialogs test > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 > > - Patch #2: test: Make mail_diff more strict > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 > > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 > > > > Patches #1 and #2 change only tests and testing infrastructure, so that the > > patch #3 (which fixes the security vulnerability) can have tests to confirm > > it works. > > > > Those commits in Salsa come directly from upstream's 1.11.1, you can confirm > > that the commit id is the same: > > https://github.com/albertito/chasquid/commits/v1.11.1/ > > > > This is what I consider a "reasonable minimum" set of changes to fix the > > vulnerability. Any less would mean failing or reduced tests for the fixes, > > which I don't think that is a good tradeoff. > > > > I hope this explanation helps! > > > > > > > Seems I got a few things mixed up and maybe offered wrong advice in my > > > previous > > > email -- sorry! > > > > No worries! These things get confusing :S > > > > > > > I've CC'ed security team as per the documented procedure[1], and will > > > wait for their > > > reply on this matter, and we can take it forward for stable uploads from > > > there. > > > > > > [1]: > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > > > Thank you, please let me know if there are any other questions or > > clarification needed! > > Thanks for the details. Can you fix this issue in the upcoming point > releases? They are planned to be announced for the beginning of > february. > > As there sees to be no CVE assigned for the issue in chasquid, I have > requested one from MITRE.
There is a CVE: CVE-2023-52354. Regards, Salvatore
