Hi Ola, On Mon, Oct 07, 2024 at 10:27:52PM +0200, Ola Lundqvist wrote: > Hi fellow LTS and ELTS developers > I started to look at git for bullseye. It has one vulnerability in > CVE-2024-32020. > You can read about the vulnerability here: > [1]https://security-tracker.debian.org/tracker/CVE-2024-32020 > For Debian Stable it has been fixed together with a lot of other changes > in the scope of DSA-5769-1. > However when you read what the fix is, it is obvious that this is not a > perfectly safe fix, from a regression point of view. Please read more > here: > [2]https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u
This specific CVE was discussed on this list in May: https://lists.debian.org/debian-lts/2024/05/msg00017.html It is true that this was fixed in bookworm. However, please note that the DSA gives the fixed version as 1:2.39.5-0+deb12u1, meaning that the version uploaded was a new upstream point release. The debian/changelog entry confirms this: * new upstream point release (see RelNotes/2.39.3.txt, RelNotes/2.39.4.txt, RelNotes/2.39.5.txt). Addresses CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32020, CVE-2023-32021 (closes: #1071160). So, yes, technichally the behavior changed. But that change in behavior resulted from accepting a new upstream version with different behavior. To call it a regression in this case is not accurate. If we applied the CVE-2024-32020 fix to the version in bullseye or older then we would be patching an older version of Git. In that case, modifying the behavior in this way would (in my estimation) be a regression, which is why this should not be fixed in bullseye and older. That is to say, the problems which would result from fixing this would outweigh the benefits. Regards, -Roberto -- Roberto C. Sánchez
