On 2021-12-05 21:30:14, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: car...@debian.org,anar...@debian.org > > Hi SRM, > > isync in bullseye is affected by CVE-2021-3657[1]. Upstream is > providing as well explicit patches for the 1.3.x series. That said, I > could not explicitly thest the package for the CVE is question. > > But I'm X-Debbugs-CC'ing Antoine which might additionally be able to > expose the package for bullseye to some real situation testing.
Hi!
So unfortunately I don't have a reproducer for CVE-2021-3657. I was able
to trigger CVE-2021-3657 (#999804) with 1.4+, but I didn't have crashes
when running 1.3 in bullseye.
I did test a build of 1.3.0-2.2+deb11u1 based on carnil's debdiff, and
it compiles fine, which is a good start. :)
It also seems to sync correctly: I'm testing a full sync now which
should complete within an hour. So far so good.
a.
--
Rock journalism is people who can't write, interviewing people who can't
talk, in order to provide articles for people who can't read.
- Frank Zappa
signature.asc
Description: PGP signature
