Am 19.12.24 um 08:24 schrieb Adrian Bunk:
Package: release.debian.org Severity: normal Tags: bookworm moreinfo User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: secur...@debian.org, Michael Biebl <bi...@debian.org>, Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org>* core: make sure there is rdata to process before parsing it. Patch cherry-picked from upstream Git. (CVE-2023-38472, Closes: #1054879) * core: reject overly long TXT resource records. Patches cherry-picked from upstream Git. (CVE-2023-38469, Closes: #1054876) * Ensure each label is at least one byte long. Patch cherry-picked from upstream Git. (CVE-2023-38470, Closes: #1054877) * core: extract host name using avahi_unescape_label() Patch cherry-picked from upstream Git. (CVE-2023-38471, Closes: #1054878) * common: derive alternative host name from its unescaped version. Patch cherry-picked from upstream Git. (CVE-2023-38473, Closes: #1054880) * Fix browsing when invalid services present. See https://github.com/lathiat/avahi/issues/212 Tagged moreinfo for two reasons: 1. This is work done by Michael Biebl, it would be fine for me to close this request for a maintainer upload.
The debdiff looks good to me. Thanks for preparing it. Since you've already done the work, I'm fine with the pu as-is and I would just import the NMU into a debian/bookworm branch in salsa.
Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
