Am Tue, Mar 28, 2023 at 09:29:57PM +0200 schrieb Salvatore Bonaccorso:
> Hi László,
>
> On Sun, Mar 26, 2023 at 04:13:01PM +0200, László Böszörményi wrote:
> > Hi,
> >
> > On Fri, Mar 17, 2023 at 7:54 PM László Böszörményi (GCS) <[email protected]>
> > wrote:
> > > On Thu, Mar 16, 2023 at 11:15 PM Moritz Mühlenhoff <[email protected]>
> > > wrote:
> > > > Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff:
> > > > > CVE-2019-11939:
> > > > > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
> > > > is this fixed in Bookworm?
> > > I let the Security Team decide how this should be treated. I will try
> > > to describe it in full and short.
> > Friendly ping, how the Security Team sees this issue. I've provided
> > insights [1] and tend to think it's safe for Bullseye and later.
Sorry for the late reply, currently mostly offline.
> Strictly speaking if the code base diverged, CVE-2019-11939 would be
> for facebook's fbthrift only. If Apache thrift has a similar issue,
> which is my understanding of the THRIFT-5322 then it would need a own
> CVE, which does not seem to exist (In some cases a CVE might be used
> by multiple projects even if the code base is not the same).
>
> I'm leaning to mark CVE-2019-11939 as NFU for facebook fbthrift
> specifically, and let alone the Apache Thrift issues for similar case.
> Given the issue would be no-dsa for bullseye and fixed in bookworm I
> would not do anything particular unless a CVE get assigned.
>
> Moritz, do you agree?
I agree, let's mark it as NFU: Facebook fbthrift and not track Apache
Thrift/src:thrift specifically here.
Cheers,
Moritz
