Hi,
On Tue, Jan 23, 2024 at 06:26:21PM +, Alberto Bertogli wrote:
> On Mon, Jan 22, 2024 at 04:48:35PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Sun, Jan 21, 2024 at 09:55:36PM +0100, Salvatore Bonaccorso wrote:
> > > Hi Alberto, hi Nilesh,
> > >
> > > On Sun, Jan 21, 2024 at 05:03:42PM +, Alberto Bertogli wrote:
> > > > On Sun, Jan 21, 2024 at 09:38:29PM +0530, Nilesh Patra wrote:
> > > > > On Sun, Jan 21, 2024 at 03:37:11PM +, Alberto Bertogli wrote:
> > > > > > There are 3 patches in this release: patches 1 and 2 are minor (but
> > > > > > important) adjustments to tests, so that patch 3 that contains the
> > > > > > fix can
> > > > > > be tested at all.
> > > > > >
> > > > > > Applying just patch 3 would be nominally "minimal", but also fail
> > > > > > tests.
> > > > > >
> > > > > > I would argue this is the minimal set of patches to fix the security
> > > > > > release.
> > > > > >
> > > > > > That said, of course that is subjective, other alternative patches
> > > > > > could be
> > > > > > done instead; and I'm sure there's a lot of Debian-specific
> > > > > > criteria,
> > > > > > history, and processes that can be applied to make these decisions,
> > > > > > which I
> > > > > > lack.
> > > > > >
> > > > > > So I think at this point I rather leave this stable update to the
> > > > > > Debian
> > > > > > experts (which I am definitely not :).
> > > > > >
> > > > > > The patches are there, and please if you have any questions I can
> > > > > > help with
> > > > > > as upstream capacity, just let me know!
> > > > >
> > > > > As far as I understood and looked, there are just 3 patches in this
> > > > > update which
> > > > > seem to be needed to fix the SMTP smuggling vulnerability, right?
> > > >
> > > > That is correct.
> > > >
> > > > I (upstream) made version 1.11.1 by cherry-picking 3 patches (from
> > > > 1.13) on
> > > > top of 1.11:
> > > >
> > > > - Patch #1: test: Verify mailbox delivery in minor dialogs test
> > > >
> > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/7fe1d04f01c0e49f3e37cfe8d9823d86b6f33b04
> > > > - Patch #2: test: Make mail_diff more strict
> > > >
> > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/5c4d2f980859e7e42b4da2bea19b04bb79eedd54
> > > > - Patch #3: smtpsrv: Strict CRLF enforcement in DATA contents
> > > >
> > > > https://salsa.debian.org/go-team/packages/chasquid/-/commit/e95808d249f900a90eeb0916773ce6ed55632801
> > > >
> > > > Patches #1 and #2 change only tests and testing infrastructure, so that
> > > > the
> > > > patch #3 (which fixes the security vulnerability) can have tests to
> > > > confirm
> > > > it works.
> > > >
> > > > Those commits in Salsa come directly from upstream's 1.11.1, you can
> > > > confirm
> > > > that the commit id is the same:
> > > > https://github.com/albertito/chasquid/commits/v1.11.1/
> > > >
> > > > This is what I consider a "reasonable minimum" set of changes to fix the
> > > > vulnerability. Any less would mean failing or reduced tests for the
> > > > fixes,
> > > > which I don't think that is a good tradeoff.
> > > >
> > > > I hope this explanation helps!
> > > >
> > > >
> > > > > Seems I got a few things mixed up and maybe offered wrong advice in
> > > > > my previous
> > > > > email -- sorry!
> > > >
> > > > No worries! These things get confusing :S
> > > >
> > > >
> > > > > I've CC'ed security team as per the documented procedure[1], and will
> > > > > wait for their
> > > > > reply on this matter, and we can take it forward for stable uploads
> > > > > from there.
> > > > >
> > > > > [1]:
> > > > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
> > > >
> > > > Thank you, please let me know if there are any other questions or
> > > > clarification needed!
> > >
> > > Thanks for the details. Can you fix this issue in the upcoming point
> > > releases? They are planned to be announced for the beginning of
> > > february.
> > >
> > > As there sees to be no CVE assigned for the issue in chasquid, I have
> > > requested one from MITRE.
> >
> > There is a CVE: CVE-2023-52354.
>
> Great!
>
> So what are the next steps here? Who needs to do what?
>
> Sorry for the blunt question, I just don't know what happens next :)
Sorry if I was not clear enough. As the update does not warrant a DSA
(a Debian security advisory), a fix is sufficent to be included in an
upcoming point release. The timing is actually quite convenient. There
is a point release upcoming on 10th of february, with window for
uploads closing the preceeding weekend.
That is, please do proposee the update to the stable release managers
for both bookworm and bullseye via the procedure described in
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
Does this help?
Regards,
Salvatore
