Hi Roberto, On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: > On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: > > [note: I am not subscribed to debian-security; please keep me or > > debian-lts addressed on replies] > > > > If this seems like a sensible approach, I propose to apply the attached > > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version) > > to create version 8:2007f~dfsg-6 for upload to sid and eventual > > inclusion in stretch (perhaps via a point release) and then also in > > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie. > > > > Please reply with your comments. In particular, feedback from the > > security team on the appropriateness of this for a stable point release > > and my suggested route for the update to take to get there would be very > > useful. > > > > Hi all, > > Since Tomas and Ola have reviewed the patch and we have had some > discussion which makes it seem like this is the most sensible approach > to the vulnerability given the constraints, I wonder if the Security > team could weigh in. > > I have forwarded my initial message and the patch to Magnus Holngren > (the uw-imap maintainer) and also added him as a recipient of this > message, as he may wish to be the one to upload to unstable and > coordinate the future point release inclusion. > > I ask for some indication now from the security team and/or the > maintainer since I don't think it makes sense to fix this only in jessie > and not in stretch/buster/sid.
There is an alternative approach wich was raised by Magnus in the respective bug: https://bugs.debian.org/914632#12 (and see followup from Moritz). Regards, Salvatore
