home  bbs  files  messages ]

      ZZLI4416             linux.debian.bugs.dist             15322 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 14863 of 15322 on ZZLI4416, Monday 9-28-25, 1:55  
  From: SALVATORE BONACCORSO  
  To: SALVATORE BONACCORSO  
  Subj: Bug#1115964: dovecot-core: userdb interm  
 From: carnil@debian.org 
  
 Hi Noah, 
  
 On Fri, Sep 26, 2025 at 11:24:13PM +0200, Salvatore Bonaccorso wrote: 
 > Hi Noah, 
 > 
 > On Wed, Sep 24, 2025 at 09:29:27AM -0400, Noah Meyerhans wrote: 
 > > On Tue, Sep 23, 2025 at 10:53:08PM +0200, Salvatore Bonaccorso wrote: 
 > > > > > > I've published a trixie build based on the just uploaded 
 > > > > > > 1:2.4.1+dfsg1-7.  You can install it from my people.debian.org 
 > > > > > > repository.  See https://people.debian.org/~noahm/repo/ for 
 details, and 
 > > > > > > use the following sources file: 
 > > > > > > 
 > > > > > > Types: deb deb-src 
 > > > > > > URIs: https://people.debian.org/~noahm/repo 
 > > > > > > Suites: trixie-backports 
 > > > > > > Components: main 
 > > > > > > Signed-By: /etc/apt/noahm.gpg 
 > > > > > > 
 > > > > > > Let me know if this resolves the issue.  Similar packages will 
 likely 
 > > > > > > ship in a forthcoming trixie point release. 
 > > > > > 
 > > > > > Shouldn't these be shipped through stable-security? 
 > > > > > 
 > > > > 
 > > > > Possibly.  Let's see what the security team thinks.  Multiple people 
 > > > > have encountered this issue since the trixie release, and the impact 
 is 
 > > > > a significant breach of privacy.  It doesn't impact the default 
 > > > > configuration, but it only takes uncommenting and adjusting one line 
 to 
 > > > > trigger it. 
 > > > > 
 > > > > Since we just released 13.1, there won't be another trixie point 
 release 
 > > > > for a few months, which argues in favor of a DSA IMO. 
 > > > 
 > > > As the next point release is on 15 November only and given the impact, 
 > > > yes tend to agree to release a DSA for this issue. Can you prepare the 
 > > > trixie-security debdiff? 
 > > 
 > > See attached.  The diffstat is 
 > >  changelog                                                           | 
 8 ++ 
 > >  patches/auth__Use_AUTH_CACHE_KEY_USER_instead_of_per-database.patch | 
 124 ++++++++++++++++++++++++++++++++++++++++++ 
 > >  patches/series 
 |    1 
 > >  3 files changed, 133 insertions(+) 
 > > 
 > > Note that there's no CVE referenced in the changelog, as we don't seem 
 > > to have one for this issue yet. 
 > 
 > I will try to have a look at this over the weekend and come back to 
 > you. 
  
 Looks, good please upload to security-master (needs to be built with 
 -sa). 
  
 Regards, 
 Salvatore 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 

[ list messages | list forums | previous | next | reply ]

search for:

328,136 visits
(c) 1994,  bbs@darkrealms.ca