Debian Bug report logs - #961060
qmail-verify: CVE-2020-3811 CVE-2020-3812

version graph

Package: src:netqmail; Maintainer for src:netqmail is Gerrit Pape <pape@smarden.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 May 2020 17:33:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions netqmail/1.06-6, netqmail/1.06-5, netqmail/1.06-6.1

Fixed in versions netqmail/1.06-6.2~deb10u1, netqmail/1.06-6.2, netqmail/1.06-6.2~deb9u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#961060; Package src:netqmail. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Gerrit Pape <pape@smarden.org>. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: qmail-verify: CVE-2020-3811 CVE-2020-3812
Date: Tue, 19 May 2020 19:30:53 +0200
Source: netqmail
Version: 1.06-6.1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.06-6
Control: found -1 1.06-5

Hi

See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the
Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.

Regards,
Salvatore



Marked as found in versions netqmail/1.06-6. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 19 May 2020 17:33:03 GMT) (full text, mbox, link).


Marked as found in versions netqmail/1.06-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Tue, 19 May 2020 17:33:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#961060; Package src:netqmail. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 20 May 2020 21:27:04 GMT) (full text, mbox, link).


Message #14 received at 961060@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 961060@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#961060: qmail-verify: CVE-2020-3811 CVE-2020-3812
Date: Wed, 20 May 2020 23:24:30 +0200
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch

On Tue, May 19, 2020 at 07:30:53PM +0200, Salvatore Bonaccorso wrote:
> Source: netqmail
> Version: 1.06-6.1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Control: found -1 1.06-6
> Control: found -1 1.06-5
> 
> Hi
> 
> See https://www.openwall.com/lists/oss-security/2020/05/19/8 for the
> Qualys advisory covering CVE-2020-3811 and CVE-2020-3812.

debdiff based on the above attached.

Salvatore
[netqmail_1.06-6.2.debdiff (text/plain, attachment)]

Added tag(s) patch. Request was from Salvatore Bonaccorso <carnil@debian.org> to 961060-submit@bugs.debian.org. (Wed, 20 May 2020 21:27:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#961060; Package src:netqmail. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Thu, 21 May 2020 09:03:02 GMT) (full text, mbox, link).


Message #21 received at 961060@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 961060@bugs.debian.org
Subject: netqmail: diff for NMU version 1.06-6.2
Date: Thu, 21 May 2020 11:01:16 +0200
[Message part 1 (text/plain, inline)]


Dear maintainer,

I've prepared an NMU for netqmail (versioned as 1.06-6.2). The diff
is attached to this message. I did upload without delay as the version
are all the same basically in stretch and buster, apart the two fixed
bugs in 6.1 which would so help for the stretch and buster update.

We plan to release the DSA only in a few days after possibly someone
using qmail could verify the correct functioning.

Regards,
Salvatore
[netqmail-1.06-6.2-nmu.diff (text/x-diff, attachment)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 21 May 2020 09:24:03 GMT) (full text, mbox, link).


Message #26 received at 961060-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 961060-close@bugs.debian.org
Subject: Bug#961060: fixed in netqmail 1.06-6.2
Date: Thu, 21 May 2020 09:20:00 +0000
Source: netqmail
Source-Version: 1.06-6.2
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 20 May 2020 22:23:21 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 961060
Changes:
 netqmail (1.06-6.2) unstable; urgency=high
 .
   * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
Checksums-Sha1: 
 3e08b50a1403506eca9dead4f1e8fd3224802fe8 1867 netqmail_1.06-6.2.dsc
 b7eaa958f99d286a5fc756491b3087129d2d891f 34656 netqmail_1.06-6.2.diff.gz
Checksums-Sha256: 
 86de716050bcc42abfe6a1d241c2776f20b1d92f1e43a609cd0edd919458d645 1867 netqmail_1.06-6.2.dsc
 25e0f8ab45a18e5b6c01b56f487405902104ac0064886f586838551e7e48f86a 34656 netqmail_1.06-6.2.diff.gz
Files: 
 05227f81638d5075901698abf568a222 1867 mail extra netqmail_1.06-6.2.dsc
 a0cae4ae44b43edb709ed2cd3df3ad5a 34656 mail extra netqmail_1.06-6.2.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GQtxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWTEP/2VBsN8rfzJImVBxJXANIqyAhHlp4tPe
SgKTOIn5caen1gt51SpG4qYCuDFs967BQagepfVP/J8shwHTRv05SH5XyokFi/HZ
EREbhssApf+tlB4Wpnw+/AovOz/Mn6DQIZtj/V8ofIrP7lG6gjXuPiXlFKtoqWIc
14IH4CYzcc6O1cpC3r/I5FlzfP1tyjimM2OfnDYBV57jUR77xctp2j0pYi4xYcPZ
UOBbP0k0oemlS11ML4eA/uxQ55/Al+TNVASgNe/bhVX0f54/iUmQ8D+ZlngL29xO
qwbJcDe45o25qQpl4SybHrqouseY7nFDUNj2+VgQK3A2lXdHnLirH+lSJTgP7EEV
hAaeuBw0IB12t9wIz5BFFahTSILK8151LWA13B7Rik1WlSuB66yPgTymOKmLq5WZ
n5fvpbyUuxtXU04t6wmROqkmaPgtCX9P0RoxQdwwzbtM5TydvuhMHpOHHsHnFxgv
ck0hDaIf3FpC0pswImSb0pq0G/iDzN0uAzG7gywn8DUgRsK2hUyKCEy0DzobQz5E
hhgPQZ0IV8UgaTq7GPxGCy7CXzTjK3G3fPqEOiwLYuJOnk6Lr2s12XJw3DEOXnUq
si21AOAKxSGe515zVoxUO2mpt6llh8dLjlf2Ul1gL4ttJV9i/ZeoPUM+l2uCf5nQ
zym8iwnTtHD2
=LRm4
-----END PGP SIGNATURE-----




Marked as fixed in versions netqmail/1.06-6.2~deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 May 2020 08:48:03 GMT) (full text, mbox, link).


Marked as fixed in versions netqmail/1.06-6.2~deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 May 2020 08:48:04 GMT) (full text, mbox, link).


Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#961060. (Sun, 24 May 2020 08:48:09 GMT) (full text, mbox, link).


Message #33 received at 961060-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 672155-submitter@bugs.debian.org, 866038-submitter@bugs.debian.org, 961060-submitter@bugs.debian.org
Subject: closing 672155, closing 866038, closing 961060, closing 672155, closing 866038, closing 961060
Date: Sun, 24 May 2020 10:44:23 +0200
close 672155 1.06-6.2~deb10u1
close 866038 1.06-6.2~deb10u1
close 961060 1.06-6.2~deb10u1
close 672155 1.06-6.2~deb9u1
close 866038 1.06-6.2~deb9u1
close 961060 1.06-6.2~deb9u1
thanks




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 30 May 2020 15:21:06 GMT) (full text, mbox, link).


Message #38 received at 961060-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 961060-close@bugs.debian.org
Subject: Bug#961060: fixed in netqmail 1.06-6.2~deb10u1
Date: Sat, 30 May 2020 15:17:08 +0000
Source: netqmail
Source-Version: 1.06-6.2~deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2020 14:05:21 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2~deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 672155 866038 961060
Changes:
 netqmail (1.06-6.2~deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Rebuild for buster-security
 .
 netqmail (1.06-6.2) unstable; urgency=high
 .
   * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
 .
 netqmail (1.06-6.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * [fdc8794a] Setup Gitlab continous integration
   * [73e52807] Fix quotation in postinst (Closes: #866038)
   * [2fc47776] Make package piupart-clean (Closes: #672155)
Checksums-Sha1: 
 d26aa649d5cd44a182927ac94d6f90e04d78e4e7 1899 netqmail_1.06-6.2~deb10u1.dsc
 6237c96362007a2737350a9a7bd412ec8212c5a1 34713 netqmail_1.06-6.2~deb10u1.diff.gz
Checksums-Sha256: 
 4e298fceb2c2fe50494e912ee2e3f960d6d08baf3d994def7626933d5762a583 1899 netqmail_1.06-6.2~deb10u1.dsc
 5cf18ff53285a7ec4c65fbe7d7114ea67c737d91199be70f06c9ef5ef9e0380d 34713 netqmail_1.06-6.2~deb10u1.diff.gz
Files: 
 55e7f1742a835efd83e96888ec47bddd 1899 mail extra netqmail_1.06-6.2~deb10u1.dsc
 8549a72092ad90b944c7ab2ac4c9680c 34713 mail extra netqmail_1.06-6.2~deb10u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7GcE5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0yIQAI4BuGS364JDXMQTMen7Gq16MBhWOL8u
9NOe0zwaZL9sP82GXmBTpJ1hCJSLfYAmkmb/tnCuCIJk/XTnujySbcBU4IK0A4HT
BnviUcgUw/K3CFmTcN3V1FX8DgCpkknuKA1QhtTdqR3oEDA7vyWfLfwr336H28RN
Hxx/jAvPrckSjWefd3XyGoyeo0/QZUHvidf6IbcqJeYe2md2935Nw/VuyznHoCkY
IV/dfs3Z3C2yn/GgcWqxgjiAmRJSyVgj4DKJolcL9RF9F++se2ED6+O2MVJAu3/D
RYUv5J7v4ilx95Ew/uZ4vDZbK8I/x0+guDcZcXofIDAsQqVm7n9YGY8ZC40yJyaP
4/nQFH8Y3EL5rZjMu5t5zFoHG5KYXkcfkLwBGTJf+5aiIT7AELEUhyDmL+j4etP4
OKmw1Ok1e3mqngDljIpFLi99hbnYN/GHpwMFAXnV9PUdo4bepF9FwtrZDBq7c4ne
GVwcHLOVE4hjqBcOf6AfjBtuZCbMkcoKoBkQL+LakFDmJELBuOOFHNIE/5tcEPTR
3xmVRV4mfUN7aHga0pyTK5dEqzAck6dqWAFeIIeqF8jdwu0hwfKs0JZRlxFUztL8
lNQc4a2fyqtJA4Mn9+tn6/VUDb2MDyxKxAulF2AdDX9r+VPTyj6vxY0/89oY6mi+
tYiRGEbZD4d0
=zJYo
-----END PGP SIGNATURE-----




Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 30 May 2020 17:51:10 GMT) (full text, mbox, link).


Message #43 received at 961060-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 961060-close@bugs.debian.org
Subject: Bug#961060: fixed in netqmail 1.06-6.2~deb9u1
Date: Sat, 30 May 2020 17:47:25 +0000
Source: netqmail
Source-Version: 1.06-6.2~deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
netqmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 961060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated netqmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2020 14:06:19 +0200
Source: netqmail
Architecture: source
Version: 1.06-6.2~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 672155 866038 961060
Changes:
 netqmail (1.06-6.2~deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Rebuild for stretch-security
 .
 netqmail (1.06-6.2) unstable; urgency=high
 .
   * Address CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811 and
     CVE-2020-3812 (Closes: #961060)
 .
 netqmail (1.06-6.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * [fdc8794a] Setup Gitlab continous integration
   * [73e52807] Fix quotation in postinst (Closes: #866038)
   * [2fc47776] Make package piupart-clean (Closes: #672155)
Checksums-Sha1: 
 a2637165d8e7eadf4c525eb0153c3abc31ad6e15 1895 netqmail_1.06-6.2~deb9u1.dsc
 9ee9a603e2ad3d8e1d34b900e19b7a5d275f538b 260941 netqmail_1.06.orig.tar.gz
 3e3086e0d3012b95431a96bc19a5411b8ad3f2e6 35126 netqmail_1.06-6.2~deb9u1.diff.gz
Checksums-Sha256: 
 774836d82b32583d3bf829c9c12db14f291d9a1c13d57bdacc38bbe184ee7de5 1895 netqmail_1.06-6.2~deb9u1.dsc
 8e7d98d15211fc9f9c28109e942e2268f42a6672d68df92a42f2afa90ff00532 260941 netqmail_1.06.orig.tar.gz
 37831df91026d8f194c70ca2207d892d61d467f6b5e38507e506e196c7f24ade 35126 netqmail_1.06-6.2~deb9u1.diff.gz
Files: 
 ee927db48ce7cf81a121e3955aab2f8f 1895 mail extra netqmail_1.06-6.2~deb9u1.dsc
 c922f776140b2c83043a6195901c67d3 260941 mail extra netqmail_1.06.orig.tar.gz
 3e1d515c383572022c645d85659a5eb5 35126 mail extra netqmail_1.06-6.2~deb9u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7Gb5VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOOAP/jypWC9W4nOWTbSTei7R08RInoHHMlYc
XxzKZk5IfSvOGm8u5PaLk4OgH/R7dvLgwaHg8NpfnazOUWfU2uBkY0A8kzctrCom
oSVQzg/i/HroG5+rAl8/cccOWyeml0GdYTpNCZpW8fE482xyNsJ3hu5acgfWAklJ
MKeb99qGNUKUAzCXH29jUvn8ygPfJiujxdgK6ffhW9DlHBGiaZjl2b88brU+dBxL
jiVbTCvHV1/bi4k5/FfVqu21m5mR5/eU6lZZg23WFBSN8Y+uDgn4Kh9KEJjlbzs/
lpDjG21PrZTVGxEehcl+DPXlQkdWSPrsFiPGF6b4V2yoU4flcJzwsm9TpQdVSrxm
0oNQS1c7ZnYq3pV6QdzrULT2OSPzhhkGCty4a0hjGaoqACVPnyQgeM3qwroj2xo9
lkAVhevqxcE6TUQ8rxvFibXyoImeDnLn3mxDWq9Sw2uB9cvvWqOCDYBOuqrOPfJq
xSG1SC6A+uoJ18Gp5sDpXnoE+/qBoD1M7FUhdM6Mv7r6H9WHDsz4c1/MzGydl3t7
mJucFSLeHYi2YJeGugxkN113NjS2LUsXAXiD+4M0qa+Nwms1QCJ2UCxYEuugkGeg
ZNwAbCViv+TkPO/bKzkMleSpDsOb7sZJi6Vl4z7CXh8a3rJ1J4OW6dWIBOlytFyi
cOicAFyO1HfV
=uoLR
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Aug 2020 07:29:14 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 04:47:10 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.