Hi Andrej, Timo, On Sun, Jan 19, 2025 at 02:14:20PM +0100, Salvatore Bonaccorso wrote: > Hi Andrej, hi Tomo, > > On Sun, Jan 19, 2025 at 01:25:02PM +0100, Andrej Shadura wrote: > > Hello, > > > > On Sat, 18 Jan 2025, at 18:13, Salvatore Bonaccorso wrote: > > >> The following were cherry-picks with no other changes from the > > >> upstream’s Git repostitory, branch 2.4.6: > > >> > > >> - Security fix for CVE-2024-3657 > > >> - Security fix for CVE-2024-5953 > > >> - Security fix for CVE-2024-8445 > > >> - Security fix for CVE-2024-2199 > > > > > I have a question on the followup for CVE-2024-2199, CVE-2024-8445 > > > exists because of an incomplete fix for CVE-2024-2199. What is the > > > orgin of the applied patch for CVE-2024-8445? > > > > > It has, AFAICS as well not yet as well addressed in unstable? Is the > > > applied fix validated from upstream? > > > > This fix comes from the upstream repo, branch 1.4.3: > > https://github.com/389ds/389-ds-base/commit/1d3fddaac33 > > > > I’m not sure why it’s not on other branches, and the bug’s description is > > (intentionally?) very vague about *which* versions are affected. > > Thanks for the reference to the commit! > > What I have found so far is that the incomplete fix *might* only > affect the 1.4.3.40 and 1.4.4.20 releasses for the included > CVE-2024-2199 but it is claimed that versions >= 2.0 which contain the > CVE-2024-2199 fix are not affected by the incomplete fix. > > Now I guess the next steps are to reach out to upstream to understand > it more, secondly understand if the applied commit still for bookworm > is just a "noop" or in worst case can have negative conseuqences? > > Timo, any insights? (sorry I'm not to knowledged on 389-ds-base > myself).
Do we know more here? Regards, Salvatore
