Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi Salvatore,
On Thu, 27 Jan 2022 15:52:15 +0100
Salvatore Bonaccorso <carnil@debian.org> wrote:
> Yes, I meant the upload of 0.105-31.1~deb12u1 was a temporary solution
> as packages in unstable were stopped from migrating.
>
> policykit-1 in unstable fixes the issue as well, but got build with
> the broken binutils. It got in meanwhile binNMU'ed as well after
> #1004272 is fixed.
Now I get it clearly, thanks :)
> Yes this is correct. testing contains the fix for CVE-2021-4034 with
> 0.105-31.1~deb12u1 but it will soonish be superseeded with the proper
> 0.105-31.1 (at which point the security-tracker will show it
> correctly, we might add a temporary override if it confuses too much
> people).
Thank you.
> policykit-1 is not the only one affected by the binutils issue, some
> packages got built with the broken version. TTBOMK Adrian Bunk
> identified the broken ones and let for them schedule binNMUs
> accordinly with the fixed binutils version.
I didn't notice this binutils issue. Hope this does not become much
problem and we would be able to implement some tests that can catch it.
Thank you for your replies, and you security team work.
It's very hard work, tons of sensitive issues, need to be dealt with
timely manner and never ends. Debian's reputation relies on such people.
--
Hideki Yamane <henrich@iijmio-mail.jp / debian.org>
Reply to: