Debian Bug report logs - #728232
sup-mail: CVE-2013-4478 and CVE-2013-4479

version graph

Package: sup-mail; Maintainer for sup-mail is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for sup-mail is src:sup-mail.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 29 Oct 2013 19:48:07 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Fixed in versions sup-mail/0.12.1+git20120407.aaa852f-1+deb7u1, sup-mail/0.11-2+nmu1+deb6u1

Done: Per Andersson <avtobiff@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Tue, 29 Oct 2013 19:48:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 29 Oct 2013 19:48:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sup-mail: remote command injection in content_type
Date: Tue, 29 Oct 2013 20:44:57 +0100
Package: sup-mail
Severity: grave
Tags: security upstream patch fixed-upstream

Hi

A remote command injection in sup-mail was reported, see [0] and [1]
for more details. Upstream also released new versions fixing this
issue, see [3] for the diff between 0.13.2 and 0.13.2.1.

 [0] http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html
 [1] http://seclists.org/fulldisclosure/2013/Oct/272
 [2] http://article.gmane.org/gmane.comp.security.oss.general/11389
 [3]  https://github.com/sup-heliotrope/sup/compare/release-0.13.2...release-0.13.2.1

(A CVE was requested, in case it get assigned before of releasing a
fix, please include the CVE in your changelog).

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Tue, 29 Oct 2013 21:33:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 29 Oct 2013 21:33:07 GMT) Full text and rfc822 format available.

Message #10 received at 728232@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: remote command injection in content_type
Date: Tue, 29 Oct 2013 22:30:56 +0100
Control: retitle -1 sup-mail: CVE-2013-4478: remote command injection in content_type
Control: user debian-security@lists.debian.org
Control: usertags -1 + tracked

Hi

CVE-2013-4478 was now assigned to this issue.

Regards,
Salvatore



Changed Bug title to 'sup-mail: CVE-2013-4478: remote command injection in content_type' from 'sup-mail: remote command injection in content_type' Request was from Salvatore Bonaccorso <carnil@debian.org> to 728232-submit@bugs.debian.org. (Tue, 29 Oct 2013 21:33:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Wed, 30 Oct 2013 05:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 30 Oct 2013 05:27:04 GMT) Full text and rfc822 format available.

Message #17 received at 728232@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: remote command injection in content_type
Date: Wed, 30 Oct 2013 06:25:39 +0100
Control: retitle -1 sup-mail: CVE-2013-4478 and CVE-2013-4479

Actually I was not correct, there should be two issues:

CVE-2013-4478: For the issue specifically covered in
http://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt which
is
https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785
(security: shellwords escape attachment file names to prevent remote
code execution).

CVE-2013-4479:
https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42
(security: prevent remote command injection in content_type)

See http://www.openwall.com/lists/oss-security/2013/10/30/2 for the
correction of this.

Regards,
Salvatore



Changed Bug title to 'sup-mail: CVE-2013-4478 and CVE-2013-4479' from 'sup-mail: CVE-2013-4478: remote command injection in content_type' Request was from Salvatore Bonaccorso <carnil@debian.org> to 728232-submit@bugs.debian.org. (Wed, 30 Oct 2013 05:27:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Tue, 05 Nov 2013 18:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Per Andersson <avtobiff@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 05 Nov 2013 18:51:08 GMT) Full text and rfc822 format available.

Message #24 received at 728232@bugs.debian.org (full text, mbox):

From: Per Andersson <avtobiff@gmail.com>
To: 728232@bugs.debian.org
Subject: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Tue, 5 Nov 2013 19:48:41 +0100
Hi!

I am preparing a backported patch from 0.13 to the 0.12 release
currently in testing.

Since testing is now frozen it is too late to upload an entire new
upstream release.


--
Per



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Wed, 06 Nov 2013 07:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cédric Boutillier <boutil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 06 Nov 2013 07:09:07 GMT) Full text and rfc822 format available.

Message #29 received at 728232@bugs.debian.org (full text, mbox):

From: Cédric Boutillier <boutil@debian.org>
To: Per Andersson <avtobiff@gmail.com>, 728232@bugs.debian.org
Subject: Re: [DRE-maint] Bug#728232: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Wed, 6 Nov 2013 08:06:05 +0100
[Message part 1 (text/plain, inline)]
Hi Per,

On Tue, Nov 05, 2013 at 07:48:41PM +0100, Per Andersson wrote:

> Since testing is now frozen it is too late to upload an entire new
> upstream release.

You can go with a new version: testing will freeze on Nov, 5th *2014*!

Cédric
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Sun, 10 Nov 2013 20:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 10 Nov 2013 20:03:07 GMT) Full text and rfc822 format available.

Message #34 received at 728232@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Per Andersson <avtobiff@gmail.com>, 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Sun, 10 Nov 2013 20:58:28 +0100
Hi Per,

Did you had time to prepare the fixes for unstable?

Can you also prepare packages targetting squeeze-security and
wheezy-security and contact the Security team at
team@security.debian.org?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Tue, 19 Nov 2013 18:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Per Andersson <avtobiff@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 19 Nov 2013 18:39:04 GMT) Full text and rfc822 format available.

Message #39 received at 728232@bugs.debian.org (full text, mbox):

From: Per Andersson <avtobiff@gmail.com>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Tue, 19 Nov 2013 19:37:05 +0100
Hi!

On Sun, Nov 10, 2013 at 8:58 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Per,
>
> Did you had time to prepare the fixes for unstable?

I am looking at uploading the latest upstream version to unstable yes.


> Can you also prepare packages targetting squeeze-security and
> wheezy-security and contact the Security team at
> team@security.debian.org?

I am on this also.


Best,
Per

> Regards,
> Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Mon, 25 Nov 2013 00:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Per Andersson <avtobiff@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 25 Nov 2013 00:24:04 GMT) Full text and rfc822 format available.

Message #44 received at 728232@bugs.debian.org (full text, mbox):

From: Per Andersson <avtobiff@gmail.com>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Mon, 25 Nov 2013 01:20:42 +0100
On Sun, Nov 10, 2013 at 8:58 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Per,
>
> Did you had time to prepare the fixes for unstable?

Still working with the latest upstream release. Hope it will be done
soon.


> Can you also prepare packages targetting squeeze-security and
> wheezy-security and contact the Security team at
> team@security.debian.org?

This is now done.


--
Per


> Regards,
> Salvatore



Reply sent to Per Andersson <avtobiff@gmail.com>:
You have taken responsibility. (Thu, 28 Nov 2013 22:21:26 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 28 Nov 2013 22:21:26 GMT) Full text and rfc822 format available.

Message #49 received at 728232-close@bugs.debian.org (full text, mbox):

From: Per Andersson <avtobiff@gmail.com>
To: 728232-close@bugs.debian.org
Subject: Bug#728232: fixed in sup-mail 0.12.1+git20120407.aaa852f-1+deb7u1
Date: Thu, 28 Nov 2013 22:17:24 +0000
Source: sup-mail
Source-Version: 0.12.1+git20120407.aaa852f-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
sup-mail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Per Andersson <avtobiff@gmail.com> (supplier of updated sup-mail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Nov 2013 15:16:09 +0100
Source: sup-mail
Binary: sup-mail
Architecture: source all
Version: 0.12.1+git20120407.aaa852f-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Per Andersson <avtobiff@gmail.com>
Description: 
 sup-mail   - thread-centric mailer with tagging and fast search
Closes: 728232
Changes: 
 sup-mail (0.12.1+git20120407.aaa852f-1+deb7u1) wheezy-security; urgency=high
 .
   * Fix remote code injection when viewing attachments, CVE-2013-4478 and
     CVE-2013-4479 (Closes: #728232)
Checksums-Sha1: 
 4e4868401b7ab0912e39c612c1b2c47c1a5b2ff1 2361 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.dsc
 f0d1db3c895dbb2981e6f6e3a80cca1bffb4a5e4 461958 sup-mail_0.12.1+git20120407.aaa852f.orig.tar.gz
 d1b510d19d03e6e320d08fa6b7a40ea3f7a25023 18371 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.debian.tar.gz
 44307aa9d864b5448894ae143e76c99995d88aa4 163432 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1_all.deb
Checksums-Sha256: 
 acb258fc3103e1e0069e9a8c1d9a6d96963c8d18e1d91af891171ac045150017 2361 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.dsc
 c9f2c8327d0e8dd28058f148c663a62d7eda72f06c56e4dda128fca847b8327f 461958 sup-mail_0.12.1+git20120407.aaa852f.orig.tar.gz
 b5e84f02e4cc26e6f530627c5ec3732536bbdae0240af2fe0c5ca19b4b89387f 18371 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.debian.tar.gz
 1b85fcf33ffeb2cda38ff7cfb356484f0c54ec4e01e99e60bb401e280040c74e 163432 sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1_all.deb
Files: 
 714e8db92d009a22d4745cdd9628fcbd 2361 mail optional sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.dsc
 1d4af91a34d208708e78eca46eed971b 461958 mail optional sup-mail_0.12.1+git20120407.aaa852f.orig.tar.gz
 4fdc612b0351a46a7452c81bc6a7878a 18371 mail optional sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1.debian.tar.gz
 26312453026bdc11082f07a4f68aef3d 163432 mail optional sup-mail_0.12.1+git20120407.aaa852f-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSkmCnAAoJELGIrlV59JL4KgQP/RDdtd7vT+Ws6PlQD9eFoRot
02pJHAQZ0PLixfk5du9A4HHLzwgvt7pX6kSJOBwMPNz2WwktfcPFFSL9y2pSvlkr
ffhLMXOWVcb3KQviPrPy0xwP++/9ZaFT1F96wL+1R87IqdXZMTUtXNyWOEvNfSvr
Fy14RWdOgHDv8fjQkaXtyYhEF7/lyOjpedarV+/lj5dbE3oEctF0N0JaBtpqb6/8
PXViLo+Fp7yirbvb0P/3x/SiHTEIatcMJpX/CR3REZGbFc0YxGJGZZXK4UBsFmj5
21TJomjyWXJ4ZyFPAYiIJHusGkQ4b5Mm+aMADRhrDLNn0Jg+keZztNh+eC/CC95P
u4nIEft1ByrAPzfzlxqdeFNsU7wLHvqKAXAcFxLcFY+HYyn9ptiYnpXujlG9DppO
/ljRw6efYQPsavSrdn1vu1/U40Qi0lEH0YIrbjYxkhxh+iSpxE9jWjN6CusmDeMh
yI02CR/YvcbsQyIhvvueoZXvh2oM+izdtbzvl/RJEBHVY48kZkryPD/EapGZJQ1a
3AeuI5sdaeF06r71SsMpqqdn8wvEmyfSoe6S3IX6aH8Qr4VZ+GJLDcwYxAXRudQA
pBs0P7gSfQjc/DYbq0N5SoNpL8gNdvlSKMVjBpNLMTXWlKa4Es+k6KRmwUsuklzL
fMmXgdZbHb50WH5rEfCZ
=DNT5
-----END PGP SIGNATURE-----




Reply sent to Per Andersson <avtobiff@gmail.com>:
You have taken responsibility. (Thu, 28 Nov 2013 22:33:17 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 28 Nov 2013 22:33:17 GMT) Full text and rfc822 format available.

Message #54 received at 728232-close@bugs.debian.org (full text, mbox):

From: Per Andersson <avtobiff@gmail.com>
To: 728232-close@bugs.debian.org
Subject: Bug#728232: fixed in sup-mail 0.11-2+nmu1+deb6u1
Date: Thu, 28 Nov 2013 22:32:49 +0000
Source: sup-mail
Source-Version: 0.11-2+nmu1+deb6u1

We believe that the bug you reported is fixed in the latest version of
sup-mail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728232@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Per Andersson <avtobiff@gmail.com> (supplier of updated sup-mail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 24 Nov 2013 23:51:54 +0100
Source: sup-mail
Binary: sup-mail
Architecture: source all
Version: 0.11-2+nmu1+deb6u1
Distribution: squeeze-security
Urgency: high
Maintainer: Decklin Foster <decklin@red-bean.com>
Changed-By: Per Andersson <avtobiff@gmail.com>
Description: 
 sup-mail   - thread-centric mailer with tagging and fast search
Closes: 728232
Changes: 
 sup-mail (0.11-2+nmu1+deb6u1) squeeze-security; urgency=high
 .
   * Non-maintainer upload
   * Fix remote code injection when viewing attachments, CVE-2013-4478 and
     CVE-2013-4479 (Closes: #728232)
Checksums-Sha1: 
 9ce09bdc145863831a88698fe04ca5fad67c3b32 1674 sup-mail_0.11-2+nmu1+deb6u1.dsc
 4adfd62d607c95e5a08b0387310e4de6b117a468 136647 sup-mail_0.11.orig.tar.gz
 cb99e90809b9098da873fcc36582629063bc22b0 11257 sup-mail_0.11-2+nmu1+deb6u1.diff.gz
 8ef506040411b9a2a90338fadb7f6d4439981bd8 146910 sup-mail_0.11-2+nmu1+deb6u1_all.deb
Checksums-Sha256: 
 111cad46a508dc22b653236a582091075a87adf0f981ede456046bd5f0e4f117 1674 sup-mail_0.11-2+nmu1+deb6u1.dsc
 e143ce79e64617ed2edcc8e9e8257f5eae93f690e02811ea314643dda7cd54af 136647 sup-mail_0.11.orig.tar.gz
 b091041f7060ce0f8765b6e48e39cca1ca2a753f57a98e0b1bf2aca5c34df686 11257 sup-mail_0.11-2+nmu1+deb6u1.diff.gz
 8d3a85871e702835e24eb124f8bcbe516947653721cf2d1ac332c31715032a9a 146910 sup-mail_0.11-2+nmu1+deb6u1_all.deb
Files: 
 4dc4b1c48276a1606dfa298334e99dc6 1674 mail optional sup-mail_0.11-2+nmu1+deb6u1.dsc
 7c6943af23bab518e07533974ddf5bce 136647 mail optional sup-mail_0.11.orig.tar.gz
 b417fc951a4d4356ef3f101e0bdae6c1 11257 mail optional sup-mail_0.11-2+nmu1+deb6u1.diff.gz
 8a440a545eccdf688d98d3717b99618d 146910 mail optional sup-mail_0.11-2+nmu1+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSkpbYAAoJELGIrlV59JL4Bl4P/jlvgKxUPMbxw/sLgpyey0A/
l1BIwPZKtn1IAjpL8+700+1Bb94DxZl7PavYi+MCeR/2Cy0P7LfBJOztMJxoSghY
96SsRYkQViQKUmpXvIis07Qrl8HALNOQ9WkjKAkKtyNI+wDX8AHMwOlFUF0IzDPk
hM79SxGyQYvVDGlbPD2DzmB4V//+7OwzlGmgCpsMpDVoH11VeZi+8l85zJtMAGZw
mkNkt2RRz+/Hia2QZKwSKFaW8fv3006LeMrNqufx2ZF2sEgC0lserlt6ycmwzOGx
NHiC+KQeXFCR089jJP10jEwuMvV6tbQV8GfWK0RLhb2gP6deUvExbLupT12Jein5
t7LygxarLn2EcvEHUjwX4duw8Xlk0xCOB1b12ZLcVxTEqLiSszW/5va/yqiWGrCN
0hfM1QSk/pWe89bumvzYQWYaE32fkPaKi8SlAO0lYkGlgLTW8oomBQlO9TfXAezn
QB9NSsdJzb37AzpQXUmIFqVlcxqrgCW/xgDioV2NEvVhwLeIINhhULOuo8T3CEV0
ZJCKsqiPmi0TvMbXnRkWiNe3gGfbnCxno6qGs0EFF7frgRGDBOG6RlTFLiOSMZjy
arQwz1vdEZln9iWeMDQCd1JQGqCCFzFjSHy8hTUK0P10OGDD6s0IU/Co3o1R1kHG
IVv7oSadvdf9x6n+EUg2
=nbI4
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#728232; Package sup-mail. (Fri, 06 Dec 2013 16:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Fri, 06 Dec 2013 16:27:04 GMT) Full text and rfc822 format available.

Message #59 received at 728232@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Per Andersson <avtobiff@gmail.com>, 728232@bugs.debian.org
Subject: Re: Bug#728232: sup-mail: CVE-2013-4478 and CVE-2013-4479
Date: Fri, 6 Dec 2013 17:25:09 +0100
Hi Per,

On Mon, Nov 25, 2013 at 01:20:42AM +0100, Per Andersson wrote:
> On Sun, Nov 10, 2013 at 8:58 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Hi Per,
> >
> > Did you had time to prepare the fixes for unstable?
> 
> Still working with the latest upstream release. Hope it will be done
> soon.

Did you had a chance to work on this? Both the squeeze-security and
wheezy-security upload happened, but unstable (and so testing) is
still missing the fixes.

Regards,
Salvatore



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Jan 2014 07:28:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:46:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.