Control: tags -1 - moreinfo Hello Tobi,
> A question to that: Can you elaborate a bit on the testing you have > done to verify that this patch indeed fixes the vulnerability? > (Asking, becasue unfortunatly there is not lot of information available > e.g from the upstream issue and upstream seems to be generally very > silent… I developed the upstream patch, and so did do the necessary testing locally. You can simply prepare a crafted message containing some Authentication-Results headers and then see if the right ones get deleted. > Said that, if we have a high confidence in this patch, this fix should > also propagate to stable (via stable-proposed-updates) and oldstable. > I'm happy to sponsor such uploads. I don’t know if I will have the energy to do a stable update, though. > Except the information request, this package is ready to be sponsored, > and I will do so once the me-being-paranoid-question has been answered > ;-) Thank you for your interest! Ciao, David