Re: Upload request: chasquid 1.13-1
Hi, On Tue, Jan 23, 2024 at 06:26:21PM +, Alberto Bertogli wrote: > On Mon, Jan 22, 2024 at 04:48:35PM +0100, Salvatore Bonaccorso wrote: > > Hi, > > > > On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote: > > > Hi Alberto, hi Nilesh, > > > > > > On Sun, Jan 21, 2024 at 05:03:42PM +, Alberto Bertogli wrote: > > > > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: > > > > > On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: > > > > > > There are 3 patches in this release: patches 1 and 2 are minor (but > > > > > > important) adjustments to tests, so that patch 3 that contains the > > > > > > fix can > > > > > > be tested at all. > > > > > > > > > > > > Applying just patch 3 would be nominally "minimal", but also fail > > > > > > tests. > > > > > > > > > > > > I would argue this is the minimal set of patches to fix the security > > > > > > release. > > > > > > > > > > > > That said, of course that is subjective, other alternative patches > > > > > > could be > > > > > > done instead; and I'm sure there's a lot of Debian-specific > > > > > > criteria, > > > > > > history, and processes that can be applied to make these decisions, > > > > > > which I > > > > > > lack. > > > > > > > > > > > > So I think at this point I rather leave this stable update to the > > > > > > Debian > > > > > > experts (which I am definitely not :). > > > > > > > > > > > > The patches are there, and please if you have any questions I can > > > > > > help with > > > > > > as upstream capacity, just let me know! > > > > > > > > > > As far as I understood and looked, there are just 3 patches in this > > > > > update which > > > > > seem to be needed to fix the SMTP smuggling vulnerability, right? > > > > > > > > That is correct. > > > > > > > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from > > > > 1.13) on > > > > top of 1.11: > > > > > > > > - Patch #1: test: Verify mailbox delivery in minor dialogs test > > > > > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 > > > > - Patch #2: test: Make mail_diff more strict > > > > > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 > > > > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents > > > > > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 > > > > > > > > Patches #1 and #2 change only tests and testing infrastructure, so that > > > > the > > > > patch #3 (which fixes the security vulnerability) can have tests to > > > > confirm > > > > it works. > > > > > > > > Those commits in Salsa come directly from upstream's 1.11.1, you can > > > > confirm > > > > that the commit id is the same: > > > > https://github.com/albertito/chasquid/commits/v1.11.1/ > > > > > > > > This is what I consider a "reasonable minimum" set of changes to fix the > > > > vulnerability. Any less would mean failing or reduced tests for the > > > > fixes, > > > > which I don't think that is a good tradeoff. > > > > > > > > I hope this explanation helps! > > > > > > > > > > > > > Seems I got a few things mixed up and maybe offered wrong advice in > > > > > my previous > > > > > email -- sorry! > > > > > > > > No worries! These things get confusing :S > > > > > > > > > > > > > I've CC'ed security team as per the documented procedure[1], and will > > > > > wait for their > > > > > reply on this matter, and we can take it forward for stable uploads > > > > > from there. > > > > > > > > > > [1]: > > > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > > > > > > > Thank you, please let me know if there are any other questions or > > > > clarification needed! > > > > > > Thanks for the details. Can you fix this issue in the upcoming point > > > releases? They are planned to be announced for the beginning of > > > february. > > > > > > As there sees to be no CVE assigned for the issue in chasquid, I have > > > requested one from MITRE. > > > > There is a CVE: CVE-2023-52354. > > Great! > > So what are the next steps here? Who needs to do what? > > Sorry for the blunt question, I just don't know what happens next :) Sorry if I was not clear enough. As the update does not warrant a DSA (a Debian security advisory), a fix is sufficent to be included in an upcoming point release. The timing is actually quite convenient. There is a point release upcoming on 10th of february, with window for uploads closing the preceeding weekend. That is, please do proposee the update to the stable release managers for both bookworm and bullseye via the procedure described in https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Does this help? Regards, Salvatore
Re: Upload request: chasquid 1.13-1
On Mon, Jan 22, 2024 at 04:48:35PM +0100, Salvatore Bonaccorso wrote: Hi, On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote: Hi Alberto, hi Nilesh, On Sun, Jan 21, 2024 at 05:03:42PM +, Alberto Bertogli wrote: > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: > > On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: > > > There are 3 patches in this release: patches 1 and 2 are minor (but > > > important) adjustments to tests, so that patch 3 that contains the fix can > > > be tested at all. > > > > > > Applying just patch 3 would be nominally "minimal", but also fail > > > tests. > > > > > > I would argue this is the minimal set of patches to fix the security > > > release. > > > > > > That said, of course that is subjective, other alternative patches could be > > > done instead; and I'm sure there's a lot of Debian-specific criteria, > > > history, and processes that can be applied to make these decisions, which I > > > lack. > > > > > > So I think at this point I rather leave this stable update to the Debian > > > experts (which I am definitely not :). > > > > > > The patches are there, and please if you have any questions I can help with > > > as upstream capacity, just let me know! > > > > As far as I understood and looked, there are just 3 patches in this update which > > seem to be needed to fix the SMTP smuggling vulnerability, right? > > That is correct. > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on > top of 1.11: > > - Patch #1: test: Verify mailbox delivery in minor dialogs test > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 > - Patch #2: test: Make mail_diff more strict > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 > > Patches #1 and #2 change only tests and testing infrastructure, so that the > patch #3 (which fixes the security vulnerability) can have tests to confirm > it works. > > Those commits in Salsa come directly from upstream's 1.11.1, you can confirm > that the commit id is the same: > https://github.com/albertito/chasquid/commits/v1.11.1/ > > This is what I consider a "reasonable minimum" set of changes to fix the > vulnerability. Any less would mean failing or reduced tests for the fixes, > which I don't think that is a good tradeoff. > > I hope this explanation helps! > > > > Seems I got a few things mixed up and maybe offered wrong advice in my previous > > email -- sorry! > > No worries! These things get confusing :S > > > > I've CC'ed security team as per the documented procedure[1], and will wait for their > > reply on this matter, and we can take it forward for stable uploads from there. > > > > [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > Thank you, please let me know if there are any other questions or > clarification needed! Thanks for the details. Can you fix this issue in the upcoming point releases? They are planned to be announced for the beginning of february. As there sees to be no CVE assigned for the issue in chasquid, I have requested one from MITRE. There is a CVE: CVE-2023-52354. Great! So what are the next steps here? Who needs to do what? Sorry for the blunt question, I just don't know what happens next :) Thank you! Alberto
Re: Upload request: chasquid 1.13-1
Hi, On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote: > Hi Alberto, hi Nilesh, > > On Sun, Jan 21, 2024 at 05:03:42PM +, Alberto Bertogli wrote: > > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: > > > On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: > > > > There are 3 patches in this release: patches 1 and 2 are minor (but > > > > important) adjustments to tests, so that patch 3 that contains the fix > > > > can > > > > be tested at all. > > > > > > > > Applying just patch 3 would be nominally "minimal", but also fail > > > > tests. > > > > > > > > I would argue this is the minimal set of patches to fix the security > > > > release. > > > > > > > > That said, of course that is subjective, other alternative patches > > > > could be > > > > done instead; and I'm sure there's a lot of Debian-specific criteria, > > > > history, and processes that can be applied to make these decisions, > > > > which I > > > > lack. > > > > > > > > So I think at this point I rather leave this stable update to the Debian > > > > experts (which I am definitely not :). > > > > > > > > The patches are there, and please if you have any questions I can help > > > > with > > > > as upstream capacity, just let me know! > > > > > > As far as I understood and looked, there are just 3 patches in this > > > update which > > > seem to be needed to fix the SMTP smuggling vulnerability, right? > > > > That is correct. > > > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on > > top of 1.11: > > > > - Patch #1: test: Verify mailbox delivery in minor dialogs test > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 > > - Patch #2: test: Make mail_diff more strict > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 > > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents > > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 > > > > Patches #1 and #2 change only tests and testing infrastructure, so that the > > patch #3 (which fixes the security vulnerability) can have tests to confirm > > it works. > > > > Those commits in Salsa come directly from upstream's 1.11.1, you can confirm > > that the commit id is the same: > > https://github.com/albertito/chasquid/commits/v1.11.1/ > > > > This is what I consider a "reasonable minimum" set of changes to fix the > > vulnerability. Any less would mean failing or reduced tests for the fixes, > > which I don't think that is a good tradeoff. > > > > I hope this explanation helps! > > > > > > > Seems I got a few things mixed up and maybe offered wrong advice in my > > > previous > > > email -- sorry! > > > > No worries! These things get confusing :S > > > > > > > I've CC'ed security team as per the documented procedure[1], and will > > > wait for their > > > reply on this matter, and we can take it forward for stable uploads from > > > there. > > > > > > [1]: > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > > > Thank you, please let me know if there are any other questions or > > clarification needed! > > Thanks for the details. Can you fix this issue in the upcoming point > releases? They are planned to be announced for the beginning of > february. > > As there sees to be no CVE assigned for the issue in chasquid, I have > requested one from MITRE. There is a CVE: CVE-2023-52354. Regards, Salvatore
Re: Upload request: chasquid 1.13-1
Hi Alberto, hi Nilesh, On Sun, Jan 21, 2024 at 05:03:42PM +, Alberto Bertogli wrote: > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: > > On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: > > > There are 3 patches in this release: patches 1 and 2 are minor (but > > > important) adjustments to tests, so that patch 3 that contains the fix can > > > be tested at all. > > > > > > Applying just patch 3 would be nominally "minimal", but also fail > > > tests. > > > > > > I would argue this is the minimal set of patches to fix the security > > > release. > > > > > > That said, of course that is subjective, other alternative patches could > > > be > > > done instead; and I'm sure there's a lot of Debian-specific criteria, > > > history, and processes that can be applied to make these decisions, which > > > I > > > lack. > > > > > > So I think at this point I rather leave this stable update to the Debian > > > experts (which I am definitely not :). > > > > > > The patches are there, and please if you have any questions I can help > > > with > > > as upstream capacity, just let me know! > > > > As far as I understood and looked, there are just 3 patches in this update > > which > > seem to be needed to fix the SMTP smuggling vulnerability, right? > > That is correct. > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on > top of 1.11: > > - Patch #1: test: Verify mailbox delivery in minor dialogs test > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 > - Patch #2: test: Make mail_diff more strict > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 > > Patches #1 and #2 change only tests and testing infrastructure, so that the > patch #3 (which fixes the security vulnerability) can have tests to confirm > it works. > > Those commits in Salsa come directly from upstream's 1.11.1, you can confirm > that the commit id is the same: > https://github.com/albertito/chasquid/commits/v1.11.1/ > > This is what I consider a "reasonable minimum" set of changes to fix the > vulnerability. Any less would mean failing or reduced tests for the fixes, > which I don't think that is a good tradeoff. > > I hope this explanation helps! > > > > Seems I got a few things mixed up and maybe offered wrong advice in my > > previous > > email -- sorry! > > No worries! These things get confusing :S > > > > I've CC'ed security team as per the documented procedure[1], and will wait > > for their > > reply on this matter, and we can take it forward for stable uploads from > > there. > > > > [1]: > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security > > Thank you, please let me know if there are any other questions or > clarification needed! Thanks for the details. Can you fix this issue in the upcoming point releases? They are planned to be announced for the beginning of february. As there sees to be no CVE assigned for the issue in chasquid, I have requested one from MITRE. Regards, Salvatore
Re: Upload request: chasquid 1.13-1
On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote: On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: There are 3 patches in this release: patches 1 and 2 are minor (but important) adjustments to tests, so that patch 3 that contains the fix can be tested at all. Applying just patch 3 would be nominally "minimal", but also fail tests. I would argue this is the minimal set of patches to fix the security release. That said, of course that is subjective, other alternative patches could be done instead; and I'm sure there's a lot of Debian-specific criteria, history, and processes that can be applied to make these decisions, which I lack. So I think at this point I rather leave this stable update to the Debian experts (which I am definitely not :). The patches are there, and please if you have any questions I can help with as upstream capacity, just let me know! As far as I understood and looked, there are just 3 patches in this update which seem to be needed to fix the SMTP smuggling vulnerability, right? That is correct. I (upstream) made version 1.11.1 by cherry-picking 3 patches (from 1.13) on top of 1.11: - Patch #1: test: Verify mailbox delivery in minor dialogs test https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04 - Patch #2: test: Make mail_diff more strict https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54 - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801 Patches #1 and #2 change only tests and testing infrastructure, so that the patch #3 (which fixes the security vulnerability) can have tests to confirm it works. Those commits in Salsa come directly from upstream's 1.11.1, you can confirm that the commit id is the same: https://github.com/albertito/chasquid/commits/v1.11.1/ This is what I consider a "reasonable minimum" set of changes to fix the vulnerability. Any less would mean failing or reduced tests for the fixes, which I don't think that is a good tradeoff. I hope this explanation helps! Seems I got a few things mixed up and maybe offered wrong advice in my previous email -- sorry! No worries! These things get confusing :S I've CC'ed security team as per the documented procedure[1], and will wait for their reply on this matter, and we can take it forward for stable uploads from there. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security Thank you, please let me know if there are any other questions or clarification needed! Thanks again, Alberto
Re: Upload request: chasquid 1.13-1
On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote: > There are 3 patches in this release: patches 1 and 2 are minor (but > important) adjustments to tests, so that patch 3 that contains the fix can > be tested at all. > > Applying just patch 3 would be nominally "minimal", but also fail > tests. > > I would argue this is the minimal set of patches to fix the security > release. > > That said, of course that is subjective, other alternative patches could be > done instead; and I'm sure there's a lot of Debian-specific criteria, > history, and processes that can be applied to make these decisions, which I > lack. > > So I think at this point I rather leave this stable update to the Debian > experts (which I am definitely not :). > > The patches are there, and please if you have any questions I can help with > as upstream capacity, just let me know! As far as I understood and looked, there are just 3 patches in this update which seem to be needed to fix the SMTP smuggling vulnerability, right? Seems I got a few things mixed up and maybe offered wrong advice in my previous email -- sorry! I've CC'ed security team as per the documented procedure[1], and will wait for their reply on this matter, and we can take it forward for stable uploads from there. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security Best, Nilesh signature.asc Description: PGP signature
Re: Upload request: chasquid 1.13-1
On Sun, Jan 21, 2024 at 06:30:11PM +0530, Nilesh Patra wrote: On 21 January 2024 6:08:42 pm IST, Alberto Bertogli wrote: I gave this a try. This is my first time doing a stable backport (or any non-unstable change) so please let me know if I did something wrong, which is very likely. I did the following: - Created a new `debian/bookworm-backports` branch. - Merged upstream's v1.11.1 into it, which incorporates the security fixes. ... I don't know if this is okay, and if so, what comes next; so please let me know how to proceed from here! Whilst all that is fine for backports, if the version of chasquid in stable is vulnerable then it needs to go via stable updates, and only *minimal* changes need to be done on top of the version in stable. In this case it means backporting just the *patch* on top of the version in stable. Would this be possible to get done? There are 3 patches in this release: patches 1 and 2 are minor (but important) adjustments to tests, so that patch 3 that contains the fix can be tested at all. Applying just patch 3 would be nominally "minimal", but also fail tests. I would argue this is the minimal set of patches to fix the security release. That said, of course that is subjective, other alternative patches could be done instead; and I'm sure there's a lot of Debian-specific criteria, history, and processes that can be applied to make these decisions, which I lack. So I think at this point I rather leave this stable update to the Debian experts (which I am definitely not :). The patches are there, and please if you have any questions I can help with as upstream capacity, just let me know! Thanks! Alberto
Re: Upload request: chasquid 1.13-1
On 21 January 2024 6:08:42 pm IST, Alberto Bertogli wrote: > >I gave this a try. This is my first time doing a stable backport (or any >non-unstable change) so please let me know if I did something wrong, which is >very likely. > >I did the following: > >- Created a new `debian/bookworm-backports` branch. >- Merged upstream's v1.11.1 into it, which incorporates the security fixes. > ... >I don't know if this is okay, and if so, what comes next; so please let me >know how to proceed from here! Whilst all that is fine for backports, if the version of chasquid in stable is vulnerable then it needs to go via stable updates, and only *minimal* changes need to be done on top of the version in stable. In this case it means backporting just the *patch* on top of the version in stable. Would this be possible to get done? I also highly recommend that you take a look at [1] which won't consume much time. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Re: Upload request: chasquid 1.13-1
On Tue, Dec 26, 2023 at 07:05:21PM +, Alberto Bertogli wrote: On Tue, Dec 26, 2023 at 08:52:21PM +0530, Nilesh Patra wrote: On 12/26/2023 8:01 PM IST Alberto Bertogli wrote: This release includes a fix for a newly discovered SMTP attack (SMTP smuggling). Full changelog at https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24. Please let me know if you have any questions or comments! Would it be possible to backport the SMTP smuggling patch to current chasquid stable version? IMHO security vulnerabilities like this warrant a p-u[1] Sure! Upstream-wise, I tagged v1.11.1 with a backport of the fix. There are 3 patches: 2 of them backports of small changes to testing infrastructure, and then the 3rd patch is the backport of the fix (the tests for the fix reply on the other 2). https://blitiri.com.ar/git/r/chasquid/c/d4346efb024e0ebc79295bb5cae4efca81c5dc1f/ https://github.com/albertito/chasquid/tree/v1.11.1 Unfortunately I will be with minimal connectivity for the next couple of weeks, so I won't be able to do the Debian side of this (I'm not familiar with the backporting to stable part so it would take me more time to figure out). I gave this a try. This is my first time doing a stable backport (or any non-unstable change) so please let me know if I did something wrong, which is very likely. I did the following: - Created a new `debian/bookworm-backports` branch. - Merged upstream's v1.11.1 into it, which incorporates the security fixes. - Updated the changelog using the usual tooling. - Tested the build on bookworm with `gbp buildpackage` (same as I always do, except this time on bookworm instead of unstable). - Uploaded that branch to salsa. - salsa's test pipeline passed. I don't know if this is okay, and if so, what comes next; so please let me know how to proceed from here! Thank you! Alberto
Re: Upload request: chasquid 1.13-1
On Tue, Dec 26, 2023 at 08:52:21PM +0530, Nilesh Patra wrote: On 12/26/2023 8:01 PM IST Alberto Bertogli wrote: Hi! I updated package chasquid to the latest upstream version, 1.13. https://salsa.debian.org/go-team/packages/chasquid/ Can someone please review the changes and upload? There are no changes to the Debian package, it is just a merge with upstream's new release, and got no new complaints from lintian. Uploaded, thank you! Thanks! This release includes a fix for a newly discovered SMTP attack (SMTP smuggling). Full changelog at https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24. Please let me know if you have any questions or comments! Would it be possible to backport the SMTP smuggling patch to current chasquid stable version? IMHO security vulnerabilities like this warrant a p-u[1] Sure! Upstream-wise, I tagged v1.11.1 with a backport of the fix. There are 3 patches: 2 of them backports of small changes to testing infrastructure, and then the 3rd patch is the backport of the fix (the tests for the fix reply on the other 2). https://blitiri.com.ar/git/r/chasquid/c/d4346efb024e0ebc79295bb5cae4efca81c5dc1f/ https://github.com/albertito/chasquid/tree/v1.11.1 Unfortunately I will be with minimal connectivity for the next couple of weeks, so I won't be able to do the Debian side of this (I'm not familiar with the backporting to stable part so it would take me more time to figure out). But I hope this helps if anyone can do the Debian backport part. Otherwise, I will give it a try on the second half of January. Thanks a lot! Alberto
Re: Upload request: chasquid 1.13-1
On 12/26/2023 8:01 PM IST Alberto Bertogli wrote: > Hi! > > I updated package chasquid to the latest upstream version, 1.13. > > https://salsa.debian.org/go-team/packages/chasquid/ > > Can someone please review the changes and upload? > > There are no changes to the Debian package, it is just a merge with upstream's > new release, and got no new complaints from lintian. Uploaded, thank you! > This release includes a fix for a newly discovered SMTP attack (SMTP > smuggling). Full changelog at > https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24. > > Please let me know if you have any questions or comments! Would it be possible to backport the SMTP smuggling patch to current chasquid stable version? IMHO security vulnerabilities like this warrant a p-u[1] [1]: https://www.debian.org/releases/proposed-updates Best, Nilesh