Hi Abhijith Took some time to get time to respond.
See comments below. On Tue, 18 Jun 2024 at 12:27, Abhijith PA <abhij...@debian.org> wrote: > > Hi Ola > > (thanks for the ping, I almost missed it) > > On 10/06/24 10:35 PM, Ola Lundqvist wrote: > > Hi Abhijith > > > > I had a brief look at varnish that you have worked on to figure out > > what the state of the package is. > > > > In buster I can see the following CVEs. > > CVE-2024-30156 - ignored in bullseye and bookworm because it is too > > intrusive to backport > > CVE-2023-44487 - ignored in bullseye and bookworm because it is too > > intrusive to backport > > CVE-2019-20637 - looks like it can be backported > > > > My question to you is which issue you have tried to address? Is it > > CVE-2019-20637? > > Only? > > > > If only that, is there any particular reason why CVE-2024-30156 and > > CVE-44487 have not been ignored for buster as well? > > If I remember correctly, CVE-2024-30156 was very intrusive. But I > didn't marked likewise as I wanted to give a try after other fixes. Good point. Do you still think it is worth fixing when you have worked on the other issues, or should I mark it as ignored now? > CVE-2023-44487, I did ported upstream fixes. But tests was failing. > https://people.debian.org/~abhijith/reports/LTS_ELTS-Decemeber-2023.txt Where did you get the tests from? I do not see those tests in the package. Are they from some upstream repo? If yes, did they pass before the correction? > CVE-2019-20637, I have a patch locally in my machine. But I am not > sure whether its complete and atm not access to a proper machine to > build. Patch attached in the mail. It should be complete. If it is not complete the fix for bullseye is not correct because it is the same. Cheers // Ola > --abhijith -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
