On Mon, Sep 05, 2016 at 08:13:18PM -0400, Antoine Beaupré wrote:
> Control: tags -1 +pending +patch
> Hi,
>
> This is a fix for a "certificate fingerprint spoofing through crafted
> SASL messages" in Charybdis:
>
> https://security-tracker.debian.org/tracker/CVE-2016-7143
>
> I backported the patch from 3.5 to 3.4, it seems to apply, but I haven't
> tested it directly.
>
> Debdiff attached. Note that I restore the "+" separator for the deb8uX
> version as 3.4 is not in stretch anymore, so there's no risk of a failed
> upgrade. It felt confusing to keep X=1 so I bumped the release number to
> 3.4.2-5+deb8u2.
Thanks. Looks good, please build with "-sa" and upload to security-master.
Cheers,
Moritz
