Hi Abhijith Thank you. I have marked CVE-2024-30156 as ignored now for buster. I know buster is no longer part of LTS but I find it useful to know this decision anyway.
Cheers // Ola On Sun, 30 Jun 2024 at 09:25, Abhijith PA <abhij...@debian.org> wrote: > > Hi. > > On 26/06/24 08:17 PM, Ola Lundqvist wrote: > ... > > > > > > If I remember correctly, CVE-2024-30156 was very intrusive. But I > > > didn't marked likewise as I wanted to give a try after other fixes. > > > > Good point. Do you still think it is worth fixing when you have worked > > on the other issues, or should I mark it as ignored now? > > I think its better to mark as ignored now. > > > > CVE-2023-44487, I did ported upstream fixes. But tests was failing. > > > https://people.debian.org/~abhijith/reports/LTS_ELTS-Decemeber-2023.txt > > > > Where did you get the tests from? I do not see those tests in the > > package. Are they from some upstream repo? > > If yes, did they pass before the correction? > > https://github.com/varnishcache/varnish-cache/tree/varnish-6.1.1/bin/varnishtest > > Its also shipped in Debian source. But not performed at build time. > Yes the tests were passing before my changes. (Some tests were already > failing, but after patches the tests fails only increased) > > > > CVE-2019-20637, I have a patch locally in my machine. But I am not > > > sure whether its complete and atm not access to a proper machine to > > > build. Patch attached in the mail. > > > > It should be complete. If it is not complete the fix for bullseye is > > not correct because it is the same. > > OK. > > > --abhijith -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
