Thanks for reporting this. I will investigate shortly and work with the appropriate security teams to ship an update as needed. -- Please excuse my brevity.
Jonathan Sailor <jsai...@cs.brown.edu> wrote: Package: alpine Version: 2.00+dfsg-6 Severity: grave Tags: security Justification: user security hole The alpine package does not include a fix for CVE-2008-5514. Vulnerable: lenny lenny-backports squeeze Fixed in upstream: wheezy sid The patch is available at [1]. Note since that version is written for uw-imap, the path to rfc822.c is imap/src/c-client/rfc822.c. [1] http://people.debian.org/~nion/nmu-diff/uw-imap-2007b~dfsg-1_2007b~dfsg-1.1.patch ~jon. -- System Information: Debian Release: 6.0.3 APT prefers stable APT policy: (750, 'stable'), (70, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF8, LC_CTYPE=en_US.UTF8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages alpine depends on: ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries - k ii libkrb5-3 1.8.3+dfsg-4squeeze2 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.23-7.2 OpenLDAP libraries ii libncurses5 5.7+20100313-5 shared libraries for terminal hand ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libssl0.9.8 0.9.8o-4squeeze4 SSL shared libraries alpine recommends no packages. Versions of packages alpine suggests: ii aspell 0.60.6-4 GNU Aspell spell-checker ii postfix [mail-transport 2.7.1-1+squeeze1 High-performance mail transport ag -- debconf-show failed
