Bug#1060091: chasquid: v1.11.1 with backported SMTP smuggling fix was released, will this be released in debian stable?

[Alberto Bertogli]

On Fri, Jan 05, 2024 at 09:02:26PM +0100, Matěj Volf wrote:

Package: chasquid
Version: 1.11-2+b2
Severity: normal

Hi all,

you might have heard about the latest SMTP smuggling vulnerability. 
Author of chasquid responsed by releasing 1.13 and 1.11.1 
() with 
the backported fix. From , I 
understand that 1.13 was automatically accepted into testing, but I 
didn't notice anything happening regarding 1.11.1 (my server is on 
Debian stable, which only has 1.11), so I wanted to politely ask if 
this could be processed as well.


Thanks for requesting this!


I have very little knowledge about the Debian packaging and release 
process, so please correct if I have any major misunderstanding of the 
process and what I'm asking is unreasonable.


That's viable, and it was discussed in the debian-go mailing list too: 
https://lists.debian.org/debian-go/2023/12/msg00121.html


Unfortunately, I don't have time to work on this due to some unexpected 
personal circumstances, and I won't be able to do the 1.11.1 Debian 
package for (probably) a few more weeks.


Hopefully someone can do it in the meantime.

Otherwise, a workaround is to build chasquid v1.11.1 locally, and copy 
the binary to /usr/lib. It's not pretty, but it should work.


Again, apologies for not being able to fix this in a timely fashion for 
Debian this time.


Thanks a lot!
Alberto

Bug#1060091: chasquid: v1.11.1 with backported SMTP smuggling fix was released, will this be released in debian stable?

[Matěj Volf]

Package: chasquid
Version: 1.11-2+b2
Severity: normal

Hi all,

you might have heard about the latest SMTP smuggling vulnerability. 
Author of chasquid responsed by releasing 1.13 and 1.11.1 
() with the 
backported fix. From , I 
understand that 1.13 was automatically accepted into testing, but I 
didn't notice anything happening regarding 1.11.1 (my server is on 
Debian stable, which only has 1.11), so I wanted to politely ask if this 
could be processed as well.


I have very little knowledge about the Debian packaging and release 
process, so please correct if I have any major misunderstanding of the 
process and what I'm asking is unreasonable.


Thank you for your work.
Best
Matej


-- System Information:
Debian Release: 12.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable')

Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE 
not set

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chasquid depends on:
ii  libc6  2.36-9+deb12u3

chasquid recommends no packages.

chasquid suggests no packages.

-- Configuration Files:
/etc/chasquid/certs/README.certs [Errno 2] No such file or directory: 
'/etc/chasquid/certs/README.certs'

/etc/chasquid/chasquid.conf changed [not included]
/etc/chasquid/hooks/post-data changed [not included]

-- no debconf information