libseccomp2 CVE fixed only for buster-backports?

To: debian-backports@lists.debian.org
Subject: libseccomp2 CVE fixed only for buster-backports?
From: Harald Dunkel <harald.dunkel@aixigo.com>
Date: Sat, 11 Jul 2020 18:39:37 +0200
Message-id: <[🔎] 1bdeeee8-c0b6-0649-1122-e3e2b6917b24@aixigo.com>

Hi folks,

AFAICS CVE-2019-9893 (#924646) was fixed in libseccomp2 2.4.1-1 for
Unstable, but for Buster there is only a backport. For Stretch there
is no fix at all. According to #924646 the CVE affects systemd.

I was told before on this list that backports is not intended to fix
bugs (which implies security fixes), so I wonder WTH?


Regards
Harri

Reply to:

Follow-Ups:
- Re: libseccomp2 CVE fixed only for buster-backports?
  - From: formorer@formorer.de

Prev by Date: Request backport of snmpd (net-snmp) version 5.8 to buster
Next by Date: Option to allow packages from backports but without forcing it
Previous by thread: Request backport of snmpd (net-snmp) version 5.8 to buster
Next by thread: Re: libseccomp2 CVE fixed only for buster-backports?
Index(es):
- Date
- Thread