Bug#1021928: libksba8: CVE-2022-3515 - remote code execution in libksba before 1.6.2
Salvatore Bonaccorso
carnil at debian.org
Mon Oct 17 21:16:15 BST 2022
Hi Daniel,
On Mon, Oct 17, 2022 at 02:48:20PM -0400, Daniel Kahn Gillmor wrote:
> FWIW, the patch highlighted by Thomas appears to apply cleanly to 1.5.0
> (the version in debian stable).
>
> We should apply this on top of 1.5.0-3 for bullseye, and 1.3.5-2 for
> buster.
>
> The attached debdiffs do that, and should be able to build properly.
>
> I've also uploaded them to the debian/bullseye and debian/buster
> branches at https://salsa.debian.org/dkg/libksba (using DEP-14 naming
> conventions), though i don't know how useful extra git branches are to
> Andreas, who has capably maintained libksba for many years -- i don't
> see what his preferred workflow is for handling security updates, maybe
> it's not in git.
>
> If the security team and Andreas are ok with these updates to bullseye
> and buster, i can do the upload into bullseye-security and
> buster-security.
Thanks for the offer. Andreas did already handle the bullseye-security
update (DSA was just released) and Markus will handle the LTS upload.
Regards,
Salvatore
More information about the Pkg-gnutls-maint
mailing list