Discussion:
Bug#1069690: bookworm-pu: package libkf5ksieve/4:22.12.3-1+deb12u1
Add Reply
Patrick Franz
2024-04-22 19:40:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@debian.org
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.

[ Impact ]
Potentially sensitive passwords are logged on a server.

[ Tests ]
Affected user has successfully tested the patched version.

[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.

[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable

[ Changes ]
1-line patch to fix the bug.
Patrick Franz
2024-04-25 16:00:01 UTC
Reply
Permalink
Hi,

forgot to mention: The relevant bug report for libkf5ksieve is
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069163
--
Med vänliga hälsningar

Patrick Franz
Salvatore Bonaccorso
2024-05-02 05:00:01 UTC
Reply
Permalink
Hi Patrick,
Post by Patrick Franz
Package: release.debian.org
Severity: normal
Tags: bookworm
Usertags: pu
[ Reason ]
There is a bug in libkf5sieve where the password instead of the
username is sent when using managesieve and could therefore be
logged on a server as the login will fail.
[ Impact ]
Potentially sensitive passwords are logged on a server.
[ Tests ]
Affected user has successfully tested the patched version.
[ Risks ]
The patch is trivial (1 line is changed) and it's quite obvious
that it was a bug in the first place.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
1-line patch to fix the bug.
diffstat for libkf5ksieve-22.12.3 libkf5ksieve-22.12.3
As it is not yet uploaded for bookworm, you might add as well the CVE
id reference in the changelog: CVE-2023-52723 .

p.s.: I think you can take advantage of the improved workflow for this
specific one, if you are sure the package will be accepted as it is
from SRM, you can with the proposed update bug filling, along as well
already do the upload.

(but note, just commenting this with no authrotiy speaking, as not
part of the release team)

Regards,
Salvatore

Loading...