Hi Florian,
On Mon, Jun 10, 2024 at 08:41:27AM +0200, Florian Ernst wrote:
> Dear Security Team,
>
> On Sat, Jun 01, 2024 at 04:57:53PM +0200, Salvatore Bonaccorso wrote:
> > [...]
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-5564
> > https://www.cve.org/CVERecord?id=CVE-2024-5564
>
> An updated package containing upstream's fix has just been uploaded and
> is waiting to be processed for unstable.
>
> Upstream's fix:
> https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af
> (as referenced from https://github.com/jpirko/libndp/issues/26 and
> already seen by carnil)
> Debian change:
> https://salsa.debian.org/debian/libndp/-/commit/a6136d60ef278c1aebee32f805ff473f0ee6ef99
>
> The corresponding Debian change applies cleanly on bookworm / stable
> (naturally, as until today bookworm and sid both had libndp 1.8-1) and
> also on bullseye / oldstable and buster / oldoldstable (both having
> libndp 1.6-1).
>
> I could prepare packages targeting (old)stable, if so desired. Or would
> it be easier for you if you just take over from here?
It would be great if you could prepare updates for bullseye-security and
bookworm-security [1]. Please use 1.6-1+deb11u1 and 1.8-1+deb12u1 as the
respective version numbers. security.debian.org also has autopkgtests set
up, so we should get some good coverage by reverse deps.
Cheers,
Moritz
[1]
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
