Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6181 > unrolled thread
| Started by | Thorsten Glaser <tg@debian.org> |
|---|---|
| First post | 2023-01-19 00:50 +0100 |
| Last post | 2023-01-19 18:50 +0100 |
| Articles | 3 — 2 participants |
Back to article view | Back to linux.debian.security
open security issues in the git packages Thorsten Glaser <tg@debian.org> - 2023-01-19 00:50 +0100
Re: open security issues in the git packages Jeremy Stanley <fungi@yuggoth.org> - 2023-01-19 15:50 +0100
Re: open security issues in the git packages Jeremy Stanley <fungi@yuggoth.org> - 2023-01-19 18:50 +0100
| From | Thorsten Glaser <tg@debian.org> |
|---|---|
| Date | 2023-01-19 00:50 +0100 |
| Subject | open security issues in the git packages |
| Message-ID | <FPqlP-1nu6-1@gated-at.bofh.it> |
Hi Jonathan, are you planning to fix the open security issues in git? In addition to the two new ones from… last week I think, given Ubuntu LTS-security has been carrying the fixes for 8 days now, there’s another four issues in stable that are fixed in testing/sid (newer versions?) and oldstable (LTS team) that need fixing, according to the security tracker. The versions in Debian and *buntu don’t exactly match, but perhaps appropriate patches for the respective versions are available, or they apply with little fuzz? In addition the bullseye-backports version is horribly outdated with respect to testing (13 months old). Roger, what are you planning to do about that? Please update or (less ideally) ask for removal; the current state is a disservice to users and violates the bpo rules. Thanks in advance, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
[toc] | [next] | [standalone]
| From | Jeremy Stanley <fungi@yuggoth.org> |
|---|---|
| Date | 2023-01-19 15:50 +0100 |
| Message-ID | <FPEoN-1woB-1@gated-at.bofh.it> |
| In reply to | #6181 |
[Multipart message — attachments visible in raw view] — view raw
On 2023-01-18 23:34:37 +0000 (UTC), Thorsten Glaser wrote: [...] > The versions in Debian and *buntu don’t exactly match, but perhaps > appropriate patches for the respective versions are available, or > they apply with little fuzz? [...] Just a data point around this, I spent a good chunk of yesterday porting Ubuntu's 22-patch series for CVE-2022-23521 and CVE-2022-41903 from the 1:2.25.1-1ubuntu3.7 package in focal-updates to the 1:2.30.2-1 in bullseye. The only patch my colleagues and I found which needed adjustment was 0012, and for that I was able to apply upstream commit 3c50032 directly instead. -- Jeremy Stanley
[toc] | [prev] | [next] | [standalone]
| From | Jeremy Stanley <fungi@yuggoth.org> |
|---|---|
| Date | 2023-01-19 18:50 +0100 |
| Message-ID | <FPHcZ-1y8A-5@gated-at.bofh.it> |
| In reply to | #6182 |
[Multipart message — attachments visible in raw view] — view raw
On 2023-01-19 14:04:52 +0000 (+0000), Jeremy Stanley wrote: [...] > The only patch my colleagues and I found which needed adjustment > was 0012, and for that I was able to apply upstream commit 3c50032 > directly instead. Ubuntu has issued https://ubuntu.com/security/notices/USN-5810-2 now covering the lack of completeness we alerted them to in their patch 0012 for focal and bionic, so definitely don't use their original patch straight. -- Jeremy Stanley
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.security
csiph-web