Re: CVE-2023-41105 not fixed in bookworm

To: Richard van den Berg <richard@vdberg.org>
Cc: team@security.debian.org, debian-security <debian-security@lists.debian.org>
Subject: Re: CVE-2023-41105 not fixed in bookworm
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 10 Mar 2024 14:58:50 +0100
Message-id: <[🔎] Ze28mmI_pPV7LnAw@eldamar.lan>
Mail-followup-to: Richard van den Berg <richard@vdberg.org>, team@security.debian.org, debian-security <debian-security@lists.debian.org>
In-reply-to: <[🔎] 55b27ee3-625f-470a-a142-2ea394c0edbb@vdberg.org>
References: <[🔎] 55b27ee3-625f-470a-a142-2ea394c0edbb@vdberg.org>

Hi,

On Fri, Mar 01, 2024 at 09:11:34AM +0100, Richard van den Berg wrote:
> Dear security team,
> 
> May I ask why CVE-2023-41105 was marked as "<no-dsa> (Minor issue)"[1] ?
> 
> As the CVE description says there are plausible cases where this can lead to
> security issues.
> 
> There is a backport available for python 3.11 and it seems most other
> distros have patched this CVE.

The current open issues for python3.11 in bookworm do not warrant a
DSA on it's own, but that does not mean that they cannot be fixed
(though someone needs to step up and do the work).

The current three open CVEs CVE-2023-24329, CVE-2023-40217 and
CVE-2023-41105 could be batched together and fixed in a point release
(there is one upcoming on 2024-04-06, whith the window for uploads
closing the preceeding weekend).

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: CVE-2023-41105 not fixed in bookworm
  - From: StealthMode Hu <stealthmode1975@gmail.com>

References:
- CVE-2023-41105 not fixed in bookworm
  - From: Richard van den Berg <richard@vdberg.org>

Prev by Date: CVE-2023-41105 not fixed in bookworm
Next by Date: Re: CVE-2023-41105 not fixed in bookworm
Previous by thread: CVE-2023-41105 not fixed in bookworm
Next by thread: Re: CVE-2023-41105 not fixed in bookworm
Index(es):
- Date
- Thread