[Debconf-devel] [security] debconf: format module eval injection via debconf database configuration
Sebastian EM
mendozayt13 at gmail.com
Sat May 9 18:21:58 BST 2026
Hi Salvatore,
Thank you for the clarification.
I have now filed this in the Debian BTS for debconf tracking:
https://bugs.debian.org/1136114
Best regards,
Jeremy
El sáb, 9 may 2026 a las 12:11, Salvatore Bonaccorso (<carnil at debian.org>)
escribió:
> Hi Jeremy,
>
> On Thu, May 07, 2026 at 11:28:03PM +0000, Jeremy Erazo wrote:
> > Hello Debian Security Team,
> >
> > I'd like to report an input-validation issue in debconf 1.5.92
> > (the current version in sid as of 2026-05-07) that I have
> > runtime-confirmed in a fresh `debian:sid` container.
> >
> > I am sending privately first per Debian's security policy; if you
> > determine that no embargo is needed, I'm happy to refile the
> > hardening fix as a normal BTS bug. I am not requesting a CVE
> > directly in this initial report; I will leave CVE handling to the
> > Debian security process.
>
> debconf-devel is not a private list so this is by now ayway already
> public via
>
> https://alioth-lists.debian.net/pipermail/debconf-devel/2026-May/005526.html
> .
>
> Please fill a bug directly agains the package now so that the
> maintainers can have a closer look and tracking the bugfix progress as
> needed.
>
> Regards,
> Salvatore
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debconf-devel/attachments/20260509/8c6bf1c0/attachment-0001.htm>
More information about the Debconf-devel
mailing list