Hi Soren, On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > The security tracker for courier list two pieces of inaccurate information. > > https://security-tracker.debian.org/tracker/source-package/courier > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this was not > auto-detected because SqWebMail uses a different version numbering scheme > than > the source package it is built from. CVE-2004-2313 affected SqWebMail 3.4.1 > through 3.6.1. The current version in Debian is 6.2.9+1.4.1-2. > > https://packages.debian.org/unstable/sqwebmail > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. The > Debian bug report doesn’t think so. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > The CVE submission doesn’t list any vulnerable or fixed versions, and all the > links on the CVE are either dead or unuseful. > > https://www.cve.org/CVERecord?id=CVE-2005-1308
Both are amrked unimportant for certain reasons. For the former if you have an exact fixed version where the fix landed in a unstable upload then we can update the metadata. Just adding a fixed version on latest is wrong. The notes give some additional information on those historic CVEs. Regards, Salvatore
