[pkg-bacula-devel] Accepted bacula 7.4.4+dfsg-6+deb9u2 (source amd64 all) into oldstable
Carsten Leonhardt
leo at debian.org
Sun Aug 30 10:57:30 BST 2020
Hi Sven,
> On 29.08.20 18:30, Debian FTP Masters wrote:
>
>> bacula (7.4.4+dfsg-6+deb9u2) stretch-security; urgency=medium
>> .
>> * Non-maintainer upload by the LTS Team.
>> * CVE-2020-11061
>> oversized digest strings allow a malicious client to cause
>> a heap overflow in the director's memory
>
> How does one handle this? Do we now import this version into the stretch
> branch to preserve the history if the need arises to do another
> stretch-pu non-security upload after this? Or just to have everything in
> one place?
I'd like to have it in our git tree, so I've imported it. Apparently
buster is also affected, so we should prepare an update for that too:
https://security-tracker.debian.org/tracker/CVE-2020-11061
I'm looking into it.
- Carsten
More information about the pkg-bacula-devel
mailing list