Hi, On Mon, Jul 21, 2025 at 04:21:02PM -0700, Soren Stoutner wrote: > Bonaccorso, > > On Monday, June 30, 2025 10:58:37 PM Mountain Standard Time Soren Stoutner > wrote: > > On Monday, June 30, 2025 10:26:04 PM Mountain Standard Time Salvatore > > > > Bonaccorso wrote: > > > Hi Soren, > > > > > > On Thu, Jun 12, 2025 at 11:39:24AM -0700, Soren Stoutner wrote: > > > > On Wednesday, June 11, 2025 9:59:24 PM Mountain Standard Time Salvatore > > > > > > > > Bonaccorso wrote: > > > > > Hi Soren, > > > > > > > > > > On Wed, Jun 11, 2025 at 03:11:53PM -0700, Soren Stoutner wrote: > > > > > > The security tracker for courier list two pieces of inaccurate > > > > > > > > information. > > > > > > > > > > https://security-tracker.debian.org/tracker/source-package/courier > > > > > > > > > > > > 1. CVE-2004-2313 was fixed in Debian a long time ago. I think this > > > > was > > > > > > not > > > > > > > > > > auto-detected because SqWebMail uses a different version numbering > > > > > > scheme > > > > > > than the source package it is built from. CVE-2004-2313 affected > > > > > > > > SqWebMail > > > > > > > > > > 3.4.1 through 3.6.1. The current version in Debian is > 6.2.9+1.4.1-2. > > > > > > > > > > > > https://packages.debian.org/unstable/sqwebmail > > > > > > > > > > > > 2. It is unclear if CVE-2005-1308 was ever actually a security bug. > > > > > > The > > > > > > Debian bug report doesn’t think so. > > > > > > > > > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307575 > > > > > > > > > > > > The CVE submission doesn’t list any vulnerable or fixed versions, > and > > > > > > all > > > > > > the > > > > > > links on the CVE are either dead or unuseful. > > > > > > > > > > > > https://www.cve.org/CVERecord?id=CVE-2005-1308 > > > > > > > > > > Both are amrked unimportant for certain reasons. For the former if you > > > > > have an exact fixed version where the fix landed in a unstable upload > > > > > then we can update the metadata. Just adding a fixed version on latest > > > > > is wrong. > > > > > > > > CVE-2004-2313 was fixed in src:courier 0.47-3 which shipped SqWebMail > > > > 4.0.7, > > > > > > which is newer than the last vulnerable version 3.6.1. > > > > > > This is quite unlikely if you compare the changes between 0.47-2 and > > > 0.47-3 which only fixed a typo closing #276774. And furthermore we > > > cannot and will not trust CVE description for version ranges as they > > > may only reflect a known current state at a given point in time, > > > sometimes they are accurate, sometimes they are not, so we need a > > > clear evidence where the fix landed, then we can update the metadata. > > > > > > If not we err on the safe side. And again note that those CVEs are > > > marked unimportant. > > > > > > If you can point me to the version change after SqWebMail 3.6.1 > > > implementing the said security feature in the NOTE we can try to take > > > an effort to correct this historic metadata. > > > > When I wrote the above I was indicating that 0.47-3 was the first fixed > > version that I can verify shipped in Debian. This came from: > > > > https://snapshot.debian.org/binary/sqwebmail/ > > > > This is so long ago that the information about the old packages is sporadic > as > > it jumps from 0.37.3-2.9 to 0.47-3. So, perhaps my previous email should > > have more accurately said that the fix landed sometime between 0.37.3-2.9 > and > > 0.47-3, but for certain it was contained in 0.47-3. > > > > This can be seen by downloading both packages and looking at the details > > inside them. > > > > 0.37.3-2.9: > > > > /usr/share/doc/sqwebmail/changelog.gz shows that this shipped SqWebMail > 3.3.2, > > released on 2002-02-25 > > > > This version was not affected by the CVE, as it was introduced in version > > 3.4.1. Presumably, Debian at one time did ship an affected version, > probably > > only in testing and unstable, but this is not preserved on > > snapshot.debian.org. > > > > 0.47-3: > > > > /usr/share/doc/sqwebmail.changelog.gz shows that this shipped a version of > > SqWebMail three commits past 4.0.7, dated 2004-09-02. This includes the > fixed > > version of 3.6.1 > > > > The commit history on GitHub doesn’t go back that far, because it didn’t > exist > > as a project on GitHub in 2003 (GitHub wasn’t even founded until 2008). So, > > it is hard to know exactly what was changed in each commit. > > > > https://github.com/svarshavchik/courier > > > > But it appears this commit from 2003-10-10 described in the 0.47-3 changelog > > is what fixed the CVE: > > > > "sqwebmail.c (error3): More informative error messages.” > > > > This tracks with the description of the CVE: > > > > Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for > > incorrect passwords versus correct passwords on non-mail-enabled accounts > > (such as root), which allows remote attackers to guess the root password via > > brute force attacks. > > > > Note that the CVE was filed in 2004, after the fix had already been applied > to > > the source in 2003. This was why the person filing the CVE could > confidently > > include the first and last affected version at the time of the filing. > > Do you have any further questions about the additional information I provided > in the previous email?
I raised already some items in the previous mail. - CVE descriptions cannot be trusted. In particular we cannot determine that the version after 3.6.1 fixes the issue. Neither is there a clear "mapping" that "more informative error messages" while there is at least sime indication that it *may* relate to "generates different error messages for incorrect passwords versus correct passwords". But "appers to be" is non enough, very improtantly when we touch stuff going back over 20 years. - How do you know that the person filling the CVE requested in when and after the fix was applied? The CVE was reserved in 2005-08-16T00:00:00, published in 2005-08-16T04:00:00. We know some updated happend on 2017-07-10T14:57:01 and CVE metadata was last updated on 2024-08-08T01:22:13.536Z. From the CVE record we do not know hwo requested it from MITRE and so neither we can get confirmation on the claims from that person. - Public information still accessible is not avialable anymore in this point in time, modulo the IBM one which stated that as per 1. september 2024 no fix was yet available. - We marked the issue unimportant bringing it away from our radars. - When touching historic entries either is is 100% clear what was the fix or leave the entry untouched. - The CVE have no further helpful information from our cross distro references. - you can try to reach out to courier upstream to get a public answer referenceable on the fix for CVE-2004-2313 which we can use as proof. Regards, Salvatore
