Hi Roberto Thank you. I then conclude that the status should be changed from "postpone" to "ignore" for both for LTS and all ELTS releases.
Anyone objecting to this? Please let me know. Cheers // Ola On Tue, 8 Oct 2024 at 21:23, Roberto C. Sánchez <robe...@debian.org> wrote: > Hi Ola, > > On Mon, Oct 07, 2024 at 10:27:52PM +0200, Ola Lundqvist wrote: > > Hi fellow LTS and ELTS developers > > I started to look at git for bullseye. It has one vulnerability in > > CVE-2024-32020. > > You can read about the vulnerability here: > > [1]https://security-tracker.debian.org/tracker/CVE-2024-32020 > > For Debian Stable it has been fixed together with a lot of other > changes > > in the scope of DSA-5769-1. > > However when you read what the fix is, it is obvious that this is not > a > > perfectly safe fix, from a regression point of view. Please read more > > here: > > [2] > https://lore.kernel.org/git/924426.1716570...@dash.ant.isi.edu/T/#u > > This specific CVE was discussed on this list in May: > https://lists.debian.org/debian-lts/2024/05/msg00017.html > > It is true that this was fixed in bookworm. However, please note that > the DSA gives the fixed version as 1:2.39.5-0+deb12u1, meaning that the > version uploaded was a new upstream point release. The debian/changelog > entry confirms this: > > * new upstream point release (see RelNotes/2.39.3.txt, > RelNotes/2.39.4.txt, RelNotes/2.39.5.txt). Addresses > CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2024-32002, > CVE-2024-32004, CVE-2024-32020, CVE-2023-32021 (closes: > #1071160). > > So, yes, technichally the behavior changed. But that change in behavior > resulted from accepting a new upstream version with different behavior. > To call it a regression in this case is not accurate. If we applied the > CVE-2024-32020 fix to the version in bullseye or older then we would be > patching an older version of Git. In that case, modifying the behavior > in this way would (in my estimation) be a regression, which is why this > should not be fixed in bullseye and older. That is to say, the problems > which would result from fixing this would outweigh the benefits. > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
