Hi, On Thu, Jan 16, 2025 at 09:31:20PM +0100, Andrej Shadura wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: 389-ds-b...@packages.debian.org, Timo Aaltonen > <tjaal...@debian.org> > Control: affects -1 + src:389-ds-base > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > > The current version in bookworm has at least four CVEs unfixed which > are trivially fixable by applying patches from the relevant upstream > branch. These CVEs will be fixed by the upcoming LTS upload into > bullseye, so to make sure users keep these fixes when they switch > to bookworm, we need to get them fixed in bookworm too. > > [ Impact ] > > None except the server won't crash in certain situations. > > [ Tests ] > > Only the automated tests which run during the package build. > > [ Risks ] > > The changes are relatively simple and come with significant test > coverage. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > The following were cherry-picks with no other changes from the > upstream’s Git repostitory, branch 2.4.6: > > - Security fix for CVE-2024-3657 > - Security fix for CVE-2024-5953 > - Security fix for CVE-2024-8445 > - Security fix for CVE-2024-2199
I have a question on the followup for CVE-2024-2199, CVE-2024-8445 exists because of an incomplete fix for CVE-2024-2199. What is the orgin of the applied patch for CVE-2024-8445? It has, AFAICS as well not yet as well addressed in unstable? Is the applied fix validated from upstream? Regards, Salvatore
