Re: libseccomp2 CVE fixed only for buster-backports?

To: Harald Dunkel <harald.dunkel@aixigo.com>
Cc: debian-backports@lists.debian.org
Subject: Re: libseccomp2 CVE fixed only for buster-backports?
From: formorer@formorer.de
Date: Wed, 15 Jul 2020 08:44:21 +0200
Message-id: <[🔎] 20200715064421.GB511020@lisa>
In-reply-to: <[🔎] 1bdeeee8-c0b6-0649-1122-e3e2b6917b24@aixigo.com>
References: <[🔎] 1bdeeee8-c0b6-0649-1122-e3e2b6917b24@aixigo.com>

On Sat, Jul 11, 2020 at 06:39:37PM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> AFAICS CVE-2019-9893 (#924646) was fixed in libseccomp2 2.4.1-1 for
> Unstable, but for Buster there is only a backport. For Stretch there
> is no fix at all. According to #924646 the CVE affects systemd.
> 
> I was told before on this list that backports is not intended to fix
> bugs (which implies security fixes), so I wonder WTH?
someone told you nonsense. 

https://backports.debian.org/FAQ/

"When security related bugs are fixed in Debian unstable the backporter
is permitted to upload the package from directly there instead of
having to wait until the fix hits testing."


Alex

Reply to:

Follow-Ups:
- Re: libseccomp2 CVE fixed only for buster-backports?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

References:
- libseccomp2 CVE fixed only for buster-backports?
  - From: Harald Dunkel <harald.dunkel@aixigo.com>

Prev by Date: Re: Option to allow packages from backports but without forcing it
Next by Date: Re: libseccomp2 CVE fixed only for buster-backports?
Previous by thread: libseccomp2 CVE fixed only for buster-backports?
Next by thread: Re: libseccomp2 CVE fixed only for buster-backports?
Index(es):
- Date
- Thread