Re: Bookworm and ZFS (zfs-dkms 2.1.11) data corruption bug

[Xiyue Deng <manphiz@gmail.com>]

Jan Ingvoldstad <frettled@gmail.com> writes:

> Hi,
>
> It seems that Bookworm's zfs-dkms package (from contrib) has the data
> corruption bug that was fixed with OpenZFS 2.1.14 (and 2.2.2) on 2023-11-30.
>
> https://github.com/openzfs/zfs/releases/tag/zfs-2.1.14
>
> However, I see no relevant bug report in the bug tracker - have my
> searching skills failed?

You can check the developer page of zfs-linux[1] on which the "action
needed" section has information about security issues (along with
version info as Gareth posted).  The one you mentioned was being tracked
in [2] and the corresponding Debian bug is [3].  My guess is that as
zfs-linux is not in "main" but "contrib", and the issue is marked
"no-dsa" (see [4]), there may be no urgency to provide a stable update.
But you may send a follow up in the tracking bug and ask for
clarification from the maintainers on whether an (old)stable-update is
desired.

[1] https://tracker.debian.org/pkg/zfs-linux
[2] https://security-tracker.debian.org/tracker/CVE-2023-49298
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056752
[4] https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory

--
Xiyue Deng