Hi, On Mon, Jun 30, 2025 at 02:27:39PM -0700, Soren Stoutner wrote: > Salvatore, > > On Thursday, June 12, 2025 11:39:24 AM Mountain Standard Time Soren Stoutner > wrote: > > On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore > > > > Bonaccorso wrote: > > > Hi Soren, > > > > > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > > > > The security tracker for courier list two pieces of inaccurate > > > > information. > > > > > > https://security-tracker.debian.org/tracker/source-package/courier > > > > > > > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this was > > > > not > > > > > > auto-detected because SqWebMail uses a different version numbering > scheme > > > > than the source package it is built from. CVE-2004-2313 affected > > > > SqWebMail > > > > > > 3.4.1 through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2. > > > > > > > > https://packages.debian.org/unstable/sqwebmail > > > > > > > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. > The > > > > Debian bug report doesn’t think so. > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > > > > > The CVE submission doesn’t list any vulnerable or fixed versions, and > all > > > > the > > > > links on the CVE are either dead or unuseful. > > > > > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308 > > > > > > Both are amrked unimportant for certain reasons. For the former if you > > > have an exact fixed version where the fix landed in a unstable upload > > > then we can update the metadata. Just adding a fixed version on latest > > > is wrong. > > > > CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7, > > which is newer than the last vulnerable version 3.6.1. > > > > > The notes give some additional information on those historic CVEs. > > > > CVE-2005-1308 was incorrectly filed as a security vulnerability, but on > closer > > inspection the security vulnerability never existed. > > > > The most significant part of the Debian bug report: > > > > "Upon further discussion Florian confirmed that the URL is protected > > by an HMAC. This bug can be closed." > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > My recommendation would be to remove CVE-2005-1308 from the security tracker > > as there never was a security vulnerability in SqWebMail related to it. > > Did you have any further questions about the above information?
Yes, I have followed up on the earlier question. Regards, Salvatore
