CVE-2023-48795 proftp* & Debian stable
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 9 21:44:20 GMT 2024
Hi,
On Tue, Jan 09, 2024 at 10:38:00PM +0100, Salvatore Bonaccorso wrote:
> Hi Hilmar,
>
> On Tue, Jan 09, 2024 at 10:24:15PM +0100, Preuße, Hilmar wrote:
> > On 02.01.2024 09:54, Salvatore Bonaccorso wrote:
> > > On Mon, Jan 01, 2024 at 10:24:10PM +0100, Hilmar Preuße wrote:
> >
> > Hi Salvatore,
> >
> > > > I've added the patch for CVE-2023-51713 to bookworm branch, this
> > > > would be part of a potential 12u3 upload.
> > > >
> > > > https://security-tracker.debian.org/tracker/CVE-2023-51713
> > >
> > > Sounds good, thank you!
> > >
> > Currently the proftp package tracker reports both issues as "low security"
> > [1]:
> >
> > - issue left for the package maintainer to handle: CVE-2023-51713
> > - issue that should be fixed with the next stable update: CVE-2023-48795
> >
> > So I'd upload the fix to stable-proposed updates to make sure we have it in
> > the next point release. Does that sound OK?
>
> Yes that would be great if you can fix both CVEs along! The next point
> releases are not yet settled, but are likely to be around 10th, 17th
> of february.
JFYI, I think we just saw a minor bug in tracker.d.o, when a CVE
covers mutlipe sources and some are already pending an update in the
point release. Because in fact in your case you should have seen "2
low-priority security issues in bookworm". But given there is already
a pending update for CVE-2023-48795/filezilla it "missclassifies"
yours CVE-2023-48795/proftpd-dfsg as "1 issue that should be fixed
with the next stable update:". If my assertion here is correct then
this should result in a bugreport for tracker.d.o i guess. Need to
check if I'm correct though.
Regards,
Salvatore
More information about the Pkg-proftpd-maintainers
mailing list