XPost: linux.debian.devel.release
Package: release.debian.org
Severity: normal
Tags: bullseye
User:
release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc:
amavisd-new@packages.debian.org,
bam@debian.org
Control: affects -1 + src:amavisd-new
[ Reason ]
* Fix CVE-2024-28054.
[ Impact ]
Without this path:
* CVE-2024-28054 won't be fixed, and amavisd-new could potentially let through mallacious emails.
[ Tests ]
No tests.
[ Risks ]
Patch could break with risk that geniune emails get blocked.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
As below.
[ Other info ]
Patch could break with risk that geniune emails get blocked.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
As below.
[ Other info ]
I hope I am doing this right :-)
I accidentally uploaded 2.11.1-6, I tried to delete it, but if that didn't work, please just delete.
=== deb diff ===
diff -Nru amavisd-new-2.11.1/debian/changelog amavisd-new-2.11.1/debian/changelog
--- amavisd-new-2.11.1/debian/changelog 2021-06-07 22:51:44.000000000 +0000
+++ amavisd-new-2.11.1/debian/changelog 2024-03-31 07:16:32.000000000 +0000
@@ -1,3 +1,10 @@
+amavisd-new (1:2.11.1-5+deb11u1) oldstable; urgency=medium
+
+ * CVE-2024-28054: Handle multiple boundary parameters that contain
+ conflicting values.
+
+ -- Brian May <
bam@debian.org> Sun, 31 Mar 2024 18:16:32 +1100
+
amavisd-new (1:2.11.1-5) unstable; urgency=medium
* Add missing dependency on libnet-snmp-perl. Closes: #936052.
diff -Nru amavisd-new-2.11.1/debian/gbp.conf amavisd-new-2.11.1/debian/gbp.conf --- amavisd-new-2.11.1/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000
+++ amavisd-new-2.11.1/debian/gbp.conf 2024-03-31 07:16:32.000000000 +0000
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch=debian/bullseye
diff -Nru amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054 amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054
--- amavisd-new-2.11.1/debian/patches/0011-fix-CVE-2024-28054 1970-01-01 00:0