Hi On Sun, Jan 19, 2025 at 02:14:20PM +0100, Salvatore Bonaccorso wrote: > Hi Andrej, hi Tomo, > > On Sun, Jan 19, 2025 at 01:25:02PM +0100, Andrej Shadura wrote: > > Hello, > > > > On Sat, 18 Jan 2025, at 18:13, Salvatore Bonaccorso wrote: > > >> The following were cherry-picks with no other changes from the > > >> upstream’s Git repostitory, branch 2.4.6: > > >> > > >> - Security fix for CVE-2024-3657 > > >> - Security fix for CVE-2024-5953 > > >> - Security fix for CVE-2024-8445 > > >> - Security fix for CVE-2024-2199 > > > > > I have a question on the followup for CVE-2024-2199, CVE-2024-8445 > > > exists because of an incomplete fix for CVE-2024-2199. What is the > > > orgin of the applied patch for CVE-2024-8445? > > > > > It has, AFAICS as well not yet as well addressed in unstable? Is the > > > applied fix validated from upstream? > > > > This fix comes from the upstream repo, branch 1.4.3: > > https://github.com/389ds/389-ds-base/commit/1d3fddaac33 > > > > I’m not sure why it’s not on other branches, and the bug’s description is > > (intentionally?) very vague about *which* versions are affected. > > Thanks for the reference to the commit! > > What I have found so far is that the incomplete fix *might* only > affect the 1.4.3.40 and 1.4.4.20 releasses for the included > CVE-2024-2199 but it is claimed that versions >= 2.0 which contain the > CVE-2024-2199 fix are not affected by the incomplete fix. > > Now I guess the next steps are to reach out to upstream to understand > it more, secondly understand if the applied commit still for bookworm > is just a "noop" or in worst case can have negative conseuqences? > > Timo, any insights? (sorry I'm not to knowledged on 389-ds-base > myself).
Any news on this? I *do* realized the question was written in a not understandable way, I apologies for that. The question I have: - It looks that the current information on CVE-2024-8445 is that it affects only the 1.4.3.40 and 1.4.4.20 releases as th incomplete fix for CVE-2024-2199 does only affect those upstream versions. It is claimed that versions >= 2.0 which contain the CVE-2024-2199 fix are not affected by the incomplete fix. 1. Can you reach out to upstream to understand it more? 2. As you applied the fix still to bookworm, is it just a noop or might it have negative consequences and should it be dropped (in case upstream can confirm only the backports to 1.4.3.40 and 1.4.4.20 versions cause the problem?) Regards, Salvatore
