Hi, I am facing a licensing issue with a patch to fix a (possible? [1]) CVE in the rainloop package.
A security issue has been reported upstream [2], but there were no replies from the upstream project yet. The reporter followed up by describing the security issue in a blog post [3], which also contains a patch to fix the issue. I contacted the patch author to wonder how we could re-distribute the patch (see the discussion in [2]). They agreed to license it with the upstream project's license (AGPLv3), and I suggested the approach described in [4]. Since IANAL, I decided to ask devel-discuss if there's a better approach for licensing this patch or if this should be enough to include it as a delta. Note that this was submitted to Debian in [5], where I did raise this same concern. [1] CVE-2022-29360 has not been published in MITRE's DB nor in cve.org yet. [2] https://github.com/RainLoop/rainloop-webmail/issues/2142 [3] https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/ [4] https://github.com/RainLoop/rainloop-webmail/issues/2142#issuecomment-1137592507 [5] https://salsa.debian.org/js-team/rainloop/-/merge_requests/4 -- Athos Ribeiro -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss