Patching for libtasn1-6
Scott Wisniewski
swisniewski at marqeta.com
Tue Nov 1 20:26:02 GMT 2022
Snyk, the NVD and Suse have this listed as critical. See here:
https://security.snyk.io/vuln/SNYK-DEBIAN11-LIBTASN16-3061097
https://www.suse.com/security/cve/CVE-2021-46848.html
https://nvd.nist.gov/vuln/detail/CVE-2021-46848
Do you know why this wouldn't warrant a DSA?
Because this is a dependency of apt, anyone using Debian docker base images
and Snyk is going to see a marked increase in critical vulnerabilities as a
result of this.
I can address this by installing the buster version of the package in my
bullseye derived docker images, but Snyk won't recognize that I've patched
the issue because it thinks the official debian packages have no fix
available.
Is there anything I can do to help get an official patch available for this
sometime before December? This is having an impact on my vulnerability
management metrics.
On Fri, Oct 28, 2022 at 10:21 PM Andreas Metzler <ametzler at bebt.de> wrote:
> On 2022-10-27 Scott Wisniewski via Pkg-gnutls-maint <
> pkg-gnutls-maint at alioth-lists.debian.net> wrote:
> > Is there a plan to make libtasn1-6 14.19 available for bullseye in order
> to
> > patch the following CVE:
>
> > https://security-tracker.debian.org/tracker/CVE-2021-46848
>
> > If so, do you have a rough ETA?
>
> > If not, do you need help with contributions to get the updated version
> > backported to bullseye?
>
> Hello Scott,
>
> thanks for the heads-up. I will doublecheck with debian-security whether
> this is going to be fixed by DSA or a stable update, but assume it will
> be the latter.
>
> Stable updates happen about every 3 months with the last one in
> September 2022.
>
> cu Andreas
>
--
NOTICE: This e-mail message and all attachments are intended only for the
use of the intended recipient and may contain information that is
privileged, confidential, or exempt from disclosure under applicable law.
If you are not the intended recipient, you are hereby notified that you may
not read, copy, distribute, or otherwise use this message or its
attachments. If you have received this message in error, please notify the
sender immediately by e-mail and delete all copies of the message
immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnutls-maint/attachments/20221101/379eef65/attachment.htm>
More information about the Pkg-gnutls-maint
mailing list