[pkg-bacula-devel] Accepted bacula 7.4.4+dfsg-6+deb9u2 (source amd64 all) into oldstable
Carsten Leonhardt
leo at debian.org
Sun Aug 30 12:12:46 BST 2020
Hi,
>> On 29.08.20 18:30, Debian FTP Masters wrote:
>>
>>> bacula (7.4.4+dfsg-6+deb9u2) stretch-security; urgency=medium
>>> .
>>> * Non-maintainer upload by the LTS Team.
>>> * CVE-2020-11061
>>> oversized digest strings allow a malicious client to cause
>>> a heap overflow in the director's memory
just to save time for others who might look into it:
The CVE above is filed against Bareos. Debian bug #968957 was filed
against Bareos and talks about two CVEs, the other being
CVE-2020-4042. The second one does not affect bacula, the problem there
was in a "CramMd5Handshake", fixed here:
https://github.com/bareos/bareos/commit/27ed33ede3b2055ed8cf37df2beb759706ede87e
- Carsten
More information about the pkg-bacula-devel
mailing list