Hi Martina,
On Thu, May 20, 2021 at 06:16:34AM +0100, Martina Ferrari wrote:
> On 20/05/2021 05:11, Salvatore Bonaccorso wrote:
>
> > Thanks, so I have to assume we are protected since 63d6cb569d4e
> > ("Refresh patches and patch out react-app URL handlers") in the
> > packaging repository, which would be in debian/2.15.2+ds-1.
> >
> > Is this correct?
>
> To be precise, that commit patched out the whole `/new` prefix when it first
> appeared, and before this vulnerability was introduced. The vuln appears at
> 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020), released as part of
> 2.23.0, and a few days later it is merged into Debian, and removed when
> refreshing patches in 7f0d9ba6d.
>
> In a nutshell: we never released this code :)
Perfect, thanks a lot for confirming that. I tried to reflect so the
status in https://security-tracker.debian.org/tracker/CVE-2021-29622
which now then should be good.
Regards,
Salvatore
