[Pkg-netatalk-devel] CVE fixes for netatalk in oldstable
Daniel Markstedt
daniel at mindani.net
Fri Sep 1 23:09:37 BST 2023
------- Original Message -------
On Friday, September 1st, 2023 at 12:30 PM, Jonas Smedegaard <jonas at jones.dk> wrote:
>
>
> Quoting Daniel Markstedt (2023-09-01 07:44:24)
>
> > ------- Original Message -------
> > On Thursday, August 31st, 2023 at 12:20 AM, Jonas Smedegaard jonas at jones.dk wrote:
> >
> > > > Good idea to increase the severity of the ticket. Done!
> > >
> > > Good. But oddly, Adam lowered severity again 6 hours later, without
> > > explanation.
> > >
> > > I suggest that you post to the bugreport, X-Debbugs-Cc him, to (kindly!)
> > > ask for clarification. But read below about X-Debbugs-Cc...
> >
> > Frankly, I'm leaning towards not responding right now.
> > He told me to be patient. I can be patient. :)
> > Maybe in a week or two I'll ask for an update.
> >
> > The lack of a sense of urgency for fixing known security issues is a bit surprising though.
> > I wonder if they will respond differently to 0-day fixes?
>
>
> Well, when I file a bugreport using reportbug and I flag it as
> security-related, then it gets Cc'ed the security team - I guess that
> would be the case also for your reporting bugs to the pseudo-package
> release.debian.org - and it is my understanding that the release time
> governs stability and the security governs security of Debian.
>
> In other words: Perhaps the release team is calm because netatalk
> currently contain no issues flagged as release-criticallly severe
> (except for bug#1025011 which affects neither stable nor oldstable).
>
>
> - Jonas
>
That's a good point. So in order to have an official record of these 9 CVE advisories actively affecting Bullseye, I created this bug ticket now:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051066
I used the critical severity since several of these vulnerabilities do grant theoretical root access, e.g. https://security-tracker.debian.org/tracker/CVE-2022-43634
Anything else you think I should add to this ticket, or advice on action I should take next?
BTW: This time I used reportbug from within a Bullseye chroot to give the report the most authentic feel to it. :)
Cheers!
Daniel
More information about the pkg-netatalk-devel
mailing list