Hello Adrian, On Mon, 18 Dec 2023 at 10:22, Adrian Bunk <b...@debian.org> wrote: > For releases where it has been backported, I've added a link to a > regression fix in the security tracker.[1]
Thank you, I remember seeing the regression fix somewhere and I forgot to apply the fix. > Regarding LTS, CVE-2023-46219 does not affect <= buster since > CVE-2022-32207 was not present there. Yes. > > fix the ldap issue (#1057855) on unstable, and then come back to > > CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do). > >... > > For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2] > and plan to upload that. > > Please let me know if anything looks wrong about that. Awesome, I started looking into fixing CVE-2023-46218 for buster and stopped when assessing the backport of the "Curl_strntolower" function. I see that you backported the original function, and I recommend instead to backport the latest version to take advantage of the further improvements done. I didn't check all of the changes but there was at least one performance improvement. I also stopped at the point where I was going to check how feasible it was to backport the latest version of the function, so I don't know if that brings up the need to backport other things. Generally speaking I believe backporting the latest version of the function will also make maintenance smoother, as more CVE fixes might require it in the future and there's a lower risk of carrying a low-profile bug. That being said, feel free to go ahead if you still prefer to use the original version of the function. I have sent the debdiffs for the fixes for bullseye and bookworm (for their respective affected CVEs) to the security team and I'm waiting on their ack. Thank you, -- Samuel Henrique <samueloph>
