Hi Salvatore, On Thu, 27 Jan 2022 14:42:21 +0100 Salvatore Bonaccorso <[email protected]> wrote: > > policykit-1 in testing is noted as vulnerable but its version > > 0.105-31.1~deb12u1 fixed CVE-2021-4034. > > > > Will the data in security-tracker be updated automatically? > > I'm aware of that, but I have not added a fixed version explicitly for > testing, as this was not meant to be done this way. 0.105-31.1~deb12u1 > was only uploaded to bookworm directly as the unstable->testing > migration had to be stopped due to #1004272 due to the urgency of > CVE-2021-4034.
So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix should be delivered as usual proper way, right? And some people say "testing is vulnerable as security-tracker says" - but I want to confirm that it's not. You've pointed #1004272 as "binutils: missing RELRO header", does it affect policykit-1? (or maybe affects more widely?) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272 -- Hideki Yamane <[email protected]>
