On Sun, Jan 21, 2024 at 03:37:11PM +0000, Alberto Bertogli wrote: > There are 3 patches in this release: patches 1 and 2 are minor (but > important) adjustments to tests, so that patch 3 that contains the fix can > be tested at all. > > Applying just patch 3 would be nominally "minimal", but also fail > tests. > > I would argue this is the minimal set of patches to fix the security > release. > > That said, of course that is subjective, other alternative patches could be > done instead; and I'm sure there's a lot of Debian-specific criteria, > history, and processes that can be applied to make these decisions, which I > lack. > > So I think at this point I rather leave this stable update to the Debian > experts (which I am definitely not :). > > The patches are there, and please if you have any questions I can help with > as upstream capacity, just let me know! As far as I understood and looked, there are just 3 patches in this update which seem to be needed to fix the SMTP smuggling vulnerability, right? Seems I got a few things mixed up and maybe offered wrong advice in my previous email -- sorry! I've CC'ed security team as per the documented procedure[1], and will wait for their reply on this matter, and we can take it forward for stable uploads from there. [1]: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security Best, Nilesh
Attachment:
signature.asc
Description: PGP signature