On Sun, 31 Dec 2023 07:14:26 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: Hi Guilhem, hi Moritz, > Hi Guilhem, hi Moritz, > > On Sat, Dec 30, 2023 at 11:26:02PM +0100, Guilhem Moulin wrote: > > On Sat, 30 Dec 2023 at 21:02:16 +0100, Felix Geyer wrote: > > > There are some minor changes staged in the salsa git repo. It would be > > > good > > > to include them as well. Feel free to push the patch to git and upload. > > > Alternatively a merge request works as well of course. > > > > Thanks for the fast response! Tagged and uploaded. > > > > Security team, if you agree with my assessment that CVE-2023-40462 is a > > duplicate of CVE-2023-34194 (but for a separate project that embeds > > libxml) and that CVE-2023-40458 is a duplicate of CVE-2021-42260 (but > > for a separate project that embeds libxml), I can propose debdiffs for > > bullseye and bookworm. > > I think the former is correct but still bit biased. We initially had > exactly CVE-2023-40462 as NFU and CVE-2023-34194 for tinyxml. I have > now commmited > https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e507c932b999df48f808969c00f07a638e3357b > hich does match my understanding for this doubled CVE assignment. The > document is actually not very very clear. It still metnions > CVE-2023-40462 but does not consistently say "TinyXML as used in". > Still hope we can agree the above matches our all udnerstanding. > Moritz given you updated back then the entry from NFU and tinyxml, if > you still strongly disagree I will revert the above, but I tried to > explain my reasoning in the commit message. > > Now for CVE-2023-40458 I'm not sure. Looking back at the references > for CVE-2021-42260 and the issue report at > https://sourceforge.net/p/tinyxml/bugs/141/ this sensibly match the > description for CVE-2023-40458, but will want to see if Moritz has an > additional input here. > > If this is the case we either have the otpion to mark it really as > duplicate (and request a reject from MITRE) or it is again just a > ALEOS issue "... tinyxml as used in". Again the table here is not very > clear in the report, for the CVE-2023-34194 and CVE-2023-40462 there > were explicitly listed the two CVEs with brackeds including the > product in the the table, but this is not the case for CVE-2023-40458. > > Moritz?
Any news of this triagging ? Bastien > > Regards, > Salvatore > >
signature.asc
Description: This is a digitally signed message part.
