On Monday, June 30, 2025 10:26:04 PM Mountain Standard Time Salvatore Bonaccorso wrote: > Hi Soren, > > On Thu, Jun 12, 2025 at 11:39:24AM -0700, Soren Stoutner wrote: > > On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore > > > > Bonaccorso wrote: > > > Hi Soren, > > > > > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > > > > The security tracker for courier list two pieces of inaccurate > > > > information. > > > > > > https://security-tracker.debian.org/tracker/source-package/courier > > > > > > > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this was > > > > not > > > > > > auto-detected because SqWebMail uses a different version numbering > > > > scheme > > > > than the source package it is built from. CVE-2004-2313 affected > > > > SqWebMail > > > > > > 3.4.1 through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2. > > > > > > > > https://packages.debian.org/unstable/sqwebmail > > > > > > > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. > > > > The > > > > Debian bug report doesn’t think so. > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > > > > > The CVE submission doesn’t list any vulnerable or fixed versions, and > > > > all > > > > the > > > > links on the CVE are either dead or unuseful. > > > > > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308 > > > > > > Both are amrked unimportant for certain reasons. For the former if you > > > have an exact fixed version where the fix landed in a unstable upload > > > then we can update the metadata. Just adding a fixed version on latest > > > is wrong. > > > > CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail 4.0.7, > > which is newer than the last vulnerable version 3.6.1. > > This is quite unlikely if you compare the changes between 0.47-2 and > 0.47-3 which only fixed a typo closing #276774. And furthermore we > cannot and will not trust CVE description for version ranges as they > may only reflect a known current state at a given point in time, > sometimes they are accurate, sometimes they are not, so we need a > clear evidence where the fix landed, then we can update the metadata. > > If not we err on the safe side. And again note that those CVEs are > marked unimportant. > > If you can point me to the version change after SqWebMail 3.6.1 > implementing the said security feature in the NOTE we can try to take > an effort to correct this historic metadata.
When I wrote the above I was indicating that 0.47-3 was the first fixed version that I can verify shipped in Debian. This came from: https://snapshot.debian.org/binary/sqwebmail/ This is so long ago that the information about the old packages is sporadic as it jumps from 0.37.3-2.9 to 0.47-3. So, perhaps my previous email should have more accurately said that the fix landed sometime between 0.37.3-2.9 and 0.47-3, but for certain it was contained in 0.47-3. This can be seen by downloading both packages and looking at the details inside them. 0.37.3-2.9: /usr/share/doc/sqwebmail/changelog.gz shows that this shipped SqWebMail 3.3.2, released on 2002-02-25 This version was not affected by the CVE, as it was introduced in version 3.4.1. Presumably, Debian at one time did ship an affected version, probably only in testing and unstable, but this is not preserved on snapshot.debian.org. 0.47-3: /usr/share/doc/sqwebmail.changelog.gz shows that this shipped a version of SqWebMail three commits past 4.0.7, dated 2004-09-02. This includes the fixed version of 3.6.1 The commit history on GitHub doesn’t go back that far, because it didn’t exist as a project on GitHub in 2003 (GitHub wasn’t even founded until 2008). So, it is hard to know exactly what was changed in each commit. https://github.com/svarshavchik/courier But it appears this commit from 2003-10-10 described in the 0.47-3 changelog is what fixed the CVE: "sqwebmail.c (error3): More informative error messages.” This tracks with the description of the CVE: Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for incorrect passwords versus correct passwords on non-mail-enabled accounts (such as root), which allows remote attackers to guess the root password via brute force attacks. Note that the CVE was filed in 2004, after the fix had already been applied to the source in 2003. This was why the person filing the CVE could confidently include the first and last affected version at the time of the filing. -- Soren Stoutner so...@debian.org
signature.asc
Description: This is a digitally signed message part.
