Hi, On Mon, Mar 31, 2025 at 04:58:25PM +0300, Adrian Bunk wrote: > Hi, > > mongo-c-driver was added to *la-needed.txt yesterday, and someone > already claimed it to fix the 4 bson CVEs (and a non-bson CVE) in > bullseye and buster. > I have already been in coordination w/ Salvatore about this (since I am the package maintainer, one of the upstream devs, and I happen to be the one who developed the patch to this specific CVE).
I had also asked Emilio to preemptively assign it to me when he triaged during his FD week, but I guess it didn't show up for him at that point. I already pinged Chris via IRC to ask him to let me take over the mongo-c-driver specifically, since he claimed them already this morning but I alreay have the context on them and I was already in coordination w/ Salvatore. > Copies of the bson code are also in the (E)LTS supported packages > libbson/stretch and libbson-xs-perl/bullseye. > I am aware of libson/stretch but not of libbson-xs-perl/bullseye. I could handle that one as well, and I can claim it once it pops up in ela-needed.txt. > Front Desk / Security Team: > CVEs need syncing between these 3 source packages. > > It would make sense if the same person fixes the CVEs in all copies of > the bson code in all releases. > Agreed. Chris, Can you confirm that it's OK for me to go ahead and take over your claims on mongo-c-driver? Regards, -Roberto -- Roberto C. Sánchez
