Re: [SECURITY] [DLA 2441-1] sympa security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 2441-1] sympa security update
From: Antoine Beaupré <anarcat@debian.org>
Date: Mon, 09 Nov 2020 10:48:46 -0500
Message-id: <[🔎] 871rh2pm3l.fsf@curie.anarc.at>
In-reply-to: <20201109130402.nerfp5ailnmprnsd@mail.beuc.net>
References: <20201109130402.nerfp5ailnmprnsd@mail.beuc.net>

On 2020-11-09 14:04:02, Sylvain Beucler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian LTS Advisory DLA-2441-1                debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                                     
> November 09, 2020                             https://wiki.debian.org/LTS
> - -------------------------------------------------------------------------
>
> Package        : sympa
> Version        : 6.2.16~dfsg-3+deb9u4
> CVE ID         : CVE-2018-1000671 CVE-2020-26880
> Debian Bug     : 908165 972189

What's up with those bug reports? #908165 refers to CVE-2018-1000671 but
#972189 refers to CVE-2020-10936, not CVE-2020-26880.

Also, CVE-2020-26880 is marked as unfixed in the security tracker (and
the upstream bugtracker), but not CVE-2020-10936...

Which one is which? Is the sympa package in Debian LTS still vulnerable
to privilege escalation?

A.

-- 
The true revolutionary is guided by a great feeling of love.
                        - Ernesto "Che" Guevara

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 2441-1] sympa security update
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Request for patch review (brotli)
Next by Date: Re: golang-go.crypto / CVE-2019-11841
Previous by thread: Re: Request for patch review (brotli)
Next by thread: Re: [SECURITY] [DLA 2441-1] sympa security update
Index(es):
- Date
- Thread