1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1068118: bullseye-pu: package amavisd-new/2.11.1-5+deb11u1

    From Brian May@21:1/5 to All on Sun Mar 31 10:30:01 2024
    XPost: linux.debian.devel.release

    Package: release.debian.org
    Severity: normal
    Tags: bullseye
    User: release.debian.org@packages.debian.org
    Usertags: pu
    X-Debbugs-Cc: amavisd-new@packages.debian.org, bam@debian.org
    Control: affects -1 + src:amavisd-new

    [ Reason ]

    * Fix CVE-2024-28054.

    [ Impact ]

    Without this path:

    * CVE-2024-28054 won't be fixed, and amavisd-new could potentially let through mallacious emails.

    [ Tests ]

    No tests.

    [ Risks ]

    Patch could break with risk that geniune emails get blocked.

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]

    As below.

    [ Other info ]

    Patch could break with risk that geniune emails get blocked.

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]

    As below.

    [ Other info ]

    I hope I am doing this right :-)

    I accidentally uploaded 2.11.1-6, I tried to delete it, but if that didn't work, please just delete.

    === deb diff ===
    diff -Nru amavisd-new-2.11.1/debian/changelog amavisd-new-2.11.1/debian/changelog
    --- amavisd-new-2.11.1/debian/changelog 2021-06-07 22:51:44.000000000 +0000
    +++ amavisd-new-2.11.1/debian/changelog 2024-03-31 07:16:32.000000000 +0000
    @@ -1,3 +1,10 @@
    +amavisd-new (1:2.11.1-5+deb11u1) oldstable; urgency=medium
    +
    + * CVE-2024-28054: Handle multiple boundary parameters that contain
    + conflicting values.
    +
    + -- Brian May <bam@debian.org> Sun, 31 Mar 2024 18:16:32 +1100
    +
    amavisd-new (1:2.11.1-5) unstable; urgency=medium

    * Add missing dependency on libnet-snmp-perl. Closes: #936052.
    diff -Nru amavisd-new-2.11.1/debian/gbp.conf amavisd-new-2.11.1/debian/gbp.conf --- amavisd-new-2.11.1/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000
    +++ amavisd-new-2.11.1/debian/gbp.conf 2024-03-31 07:16:32.000000000 +0000
    @@ -0,0 +1,2 @@
    +[DEFAULT]
    +debian-branch=debian/bullseye
    diff -Nru amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054 amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054
    --- amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054 1970-01-01 00:0
  • From Jonathan Wiltshire@21:1/5 to All on Mon Apr 22 21:20:01 2024
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1068118 = bullseye pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

    Thanks for your contribution!

    Upload details
    ==============

    Package: amavisd-new
    Version: 2.11.1-5+deb11u1

    Explanation: handle multiple boundary parameters that contain conflicting values [CVE-2024-28054]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)