On Fri, Jan 05, 2024 at 09:02:26PM +0100, Matěj Volf wrote:
Package: chasquid
Version: 1.11-2+b2
Severity: normal
Hi all,
you might have heard about the latest SMTP smuggling vulnerability.
Author of chasquid responsed by releasing 1.13 and 1.11.1
(<https://github.com/albertito/chasquid/releases/tag/v1.11.1>) with
the backported fix. From <https://tracker.debian.org/pkg/chasquid>, I
understand that 1.13 was automatically accepted into testing, but I
didn't notice anything happening regarding 1.11.1 (my server is on
Debian stable, which only has 1.11), so I wanted to politely ask if
this could be processed as well.
Thanks for requesting this!
I have very little knowledge about the Debian packaging and release
process, so please correct if I have any major misunderstanding of the
process and what I'm asking is unreasonable.
That's viable, and it was discussed in the debian-go mailing list too:
https://lists.debian.org/debian-go/2023/12/msg00121.html
Unfortunately, I don't have time to work on this due to some unexpected
personal circumstances, and I won't be able to do the 1.11.1 Debian
package for (probably) a few more weeks.
Hopefully someone can do it in the meantime.
Otherwise, a workaround is to build chasquid v1.11.1 locally, and copy
the binary to /usr/lib. It's not pretty, but it should work.
Again, apologies for not being able to fix this in a timely fashion for
Debian this time.
Thanks a lot!
Alberto
