Re: pound: CVE-2018-21245
Hi Carsten,
On Wed, Jun 17, 2020 at 11:39:08PM +0200, Carsten Leonhardt wrote:
> Hi,
>
> tl;dr: CVE-2018-21245 is actually CVE-2016-10711.
>
> I've just stumbled over
> https://security-tracker.debian.org/tracker/CVE-2018-21245
> concering the package "pound", where the notes say:
>
> > https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html
> > check, unclear exact scope and if fixed with the same fixes as
> > CVE-2016-10711
>
> The upstream release announcement pointed to with the URL refers to
> CVE-2016-10711. The fixes for CVE-2016-10711 used in Debian and
> elsewhere are actually a backport of the security relevant changes
> between pound 2.7 and 2.8a (pre-release of 2.8). From 2.8a to 2.8 there
> was only a small change.
>
> See https://salsa.debian.org/debian/pound/-/commits/upstream for
> upstream change details.
I'm updating the repferences and will mark it as explicitly fixed with
the same versions then.
But the question remains: there are two CVE assignments here and
CVE-2018-21245 explicitly says "a related issue to CVE-2016-10711" so
the scope of CVE-2018-21245 is not very clear without more details.
But I agree that we can sync up the versions given the explict
backports ad done.
Done with 6970e452ed1e ("Sync up pound fixed version for
CVE-2018-21245") in the security tracker repository.
> Hope this helps,
Yes it helps, thanks for reaching out!
Regards,
Salvatore
Reply to: