On Tue, Dec 26, 2023 at 08:52:21PM +0530, Nilesh Patra wrote:
On 12/26/2023 8:01 PM IST Alberto Bertogli <albertito@blitiri.com.ar> wrote:Hi! I updated package chasquid to the latest upstream version, 1.13. https://salsa.debian.org/go-team/packages/chasquid/ Can someone please review the changes and upload? There are no changes to the Debian package, it is just a merge with upstream's new release, and got no new complaints from lintian.Uploaded, thank you!
Thanks!
This release includes a fix for a newly discovered SMTP attack (SMTP smuggling). Full changelog at https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24. Please let me know if you have any questions or comments!Would it be possible to backport the SMTP smuggling patch to current chasquid stable version? IMHO security vulnerabilities like this warrant a p-u[1]
Sure!Upstream-wise, I tagged v1.11.1 with a backport of the fix. There are 3 patches: 2 of them backports of small changes to testing infrastructure, and then the 3rd patch is the backport of the fix (the tests for the fix reply on the other 2).
https://blitiri.com.ar/git/r/chasquid/c/d4346efb024e0ebc79295bb5cae4efca81c5dc1f/ https://github.com/albertito/chasquid/tree/v1.11.1Unfortunately I will be with minimal connectivity for the next couple of weeks, so I won't be able to do the Debian side of this (I'm not familiar with the backporting to stable part so it would take me more time to figure out).
But I hope this helps if anyone can do the Debian backport part. Otherwise, I will give it a try on the second half of January.
Thanks a lot! Alberto