Hi, Apologies for the delay in getting back to you about this.
On Sat, 2013-02-02 at 09:34 +0100, Andreas Metzler wrote: > | Dovecot: robustness; better msg on missing mech. [...] > This fixes an exim segfault when accessing a malicious dovecot AUTH > server. I have already talked with the security team, Moritz agrees > that this should be fixed in a point release. Testing already has the > fix since 4.80-6. The patch includes "TESTED: works against Dovecot 2.1.10", but stable has 1.2.15. Do we know if the patch has been tested against stable? > On top of this I would like to discuss whether it is acceptable to fix > http://bugs.debian.org/697057 in stable, too. [ I definitily want o > get the fix into testing - #697444.] The Debian configuration > optionally allows to use spfquery to run SPF-checks on incoming mail. > Due to insufficient quoting it is possible to pass on arbitrary > arguments to spfquery and therefore bypass SPF checks. The fix is not > invasive, but it changes dpkg conffiles. I've been arguing with myself a little over this one. Is it worth a comment preceding the new version of the changes to make it more obvious to anyone looking at the diff during an upgrade why the quoting was added? Presumably anyone performing a non-interactive upgrade won't get the changes, but that doesn't seem so bad in this case. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org