On Sun, 2013-02-24 at 14:58 +0100, Andreas Metzler wrote: > On 2013-02-17 "Adam D. Barratt" <[email protected]> wrote: > > Apologies for the delay in getting back to you about this. > > no worries.
and very much so again. :-( > > On Sat, 2013-02-02 at 09:34 +0100, Andreas Metzler wrote: > > > | Dovecot: robustness; better msg on missing mech. > > [...] > >> This fixes an exim segfault when accessing a malicious dovecot AUTH > >> server. I have already talked with the security team, Moritz agrees > >> that this should be fixed in a point release. Testing already has the > >> fix since 4.80-6. > > > The patch includes "TESTED: works against Dovecot 2.1.10", but stable > > has 1.2.15. Do we know if the patch has been tested against stable? > > Hello, > > I have just setup a test system in my squeeze chroot, using dovecot > with passdb passwd-file as authentication source. It worked for me. I > have tried AUTH PLAIN, CRAM-MD5 and DIGEST-MD5. > > However I do not know whether any systematic testing was done. > > >> On top of this I would like to discuss whether it is acceptable to fix > >> http://bugs.debian.org/697057 in stable, too. [ I definitily want o > >> get the fix into testing - #697444.] The Debian configuration > >> optionally allows to use spfquery to run SPF-checks on incoming mail. > >> Due to insufficient quoting it is possible to pass on arbitrary > >> arguments to spfquery and therefore bypass SPF checks. The fix is not > >> invasive, but it changes dpkg conffiles. We're now within a few days of closing uploads for the final point release of squeeze. Is this still something you'd like to fix there? Regards, Adam -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
