Hi Andrej, hi Tomo, On Sun, Jan 19, 2025 at 01:25:02PM +0100, Andrej Shadura wrote: > Hello, > > On Sat, 18 Jan 2025, at 18:13, Salvatore Bonaccorso wrote: > >> The following were cherry-picks with no other changes from the > >> upstream’s Git repostitory, branch 2.4.6: > >> > >> - Security fix for CVE-2024-3657 > >> - Security fix for CVE-2024-5953 > >> - Security fix for CVE-2024-8445 > >> - Security fix for CVE-2024-2199 > > > I have a question on the followup for CVE-2024-2199, CVE-2024-8445 > > exists because of an incomplete fix for CVE-2024-2199. What is the > > orgin of the applied patch for CVE-2024-8445? > > > It has, AFAICS as well not yet as well addressed in unstable? Is the > > applied fix validated from upstream? > > This fix comes from the upstream repo, branch 1.4.3: > https://github.com/389ds/389-ds-base/commit/1d3fddaac33 > > I’m not sure why it’s not on other branches, and the bug’s description is > (intentionally?) very vague about *which* versions are affected.
Thanks for the reference to the commit! What I have found so far is that the incomplete fix *might* only affect the 1.4.3.40 and 1.4.4.20 releasses for the included CVE-2024-2199 but it is claimed that versions >= 2.0 which contain the CVE-2024-2199 fix are not affected by the incomplete fix. Now I guess the next steps are to reach out to upstream to understand it more, secondly understand if the applied commit still for bookworm is just a "noop" or in worst case can have negative conseuqences? Timo, any insights? (sorry I'm not to knowledged on 389-ds-base myself). Regards, Salvatore
