On Wed, 3 Feb 2021 12:26:23 +0000 Simon McVittie <s...@debian.org> wrote: > For now, GLib upstream has partially reverted that change, weakening the > security hardening in order to fix the regression, and I'm going to do > the same in Debian. This should stop msmtp from regressing in terms of > which features work, but I cannot guarantee that it does not make msmtp > exploitable. If I find a concrete attack, I will report it privately to > the security team.
From an upstream GLib point of view, we’re setting a timeline on when we’re going to revert the reversion and re-harden GLib against this. It’s being tracked in https://gitlab.gnome.org/GNOME/glib/-/issues/2316, and the reversion will be done in the 2.69/2.70 cycle. 2.70 is due to be released around September 2021. Debian can keep its partial reversion in the distro-specific patches for GLib indefinitely, but after 2.70 you will be diverging from upstream in that respect. Philip
signature.asc
Description: This is a digitally signed message part
