Re: CVE-2020-8859 for elog, should we support it?

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Cc: Debian Security Team <team@security.debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2020-8859 for elog, should we support it?
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 May 2022 07:48:37 +0200
Message-id: <YoSItcKgB/SXiaiB@eldamar.lan>
Mail-followup-to: Utkarsh Gupta <guptautkarsh2102@gmail.com>, Debian Security Team <team@security.debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] CAPP0f94CWpJ0Naek0BP2B6OXbP4i=zAUPiWdFpmnaBqPYhvxqg@mail.gmail.com>
References: <[🔎] CABY6=0=T1_jMwZXAmBDG69RyXFduUu6jTBe4z6iCB9+XJThjAw@mail.gmail.com> <[🔎] CAPP0f94dddB7Q_CRCMAJYCq3X5i7yFFe=PwtzA79=Nf=-vJd0w@mail.gmail.com> <[🔎] CALF6qJ=JXjm3Hn3zALJE6YuLESNBBCp0K6deSRc5E0DF+mhH_g@mail.gmail.com> <[🔎] CABY6=0ngBBYpy-95v7av-ojAwpm4w0c_F3ahsSL=sgmOD_Z4Vw@mail.gmail.com> <[🔎] CAPP0f94CWpJ0Naek0BP2B6OXbP4i=zAUPiWdFpmnaBqPYhvxqg@mail.gmail.com>

Hi Utkarsh

On Wed, May 18, 2022 at 06:05:10AM +0530, Utkarsh Gupta wrote:
> Hi Security team,
> 
> On Wed, May 18, 2022 at 2:05 AM Ola Lundqvist <ola@inguza.com> wrote:
> > If you think we should support the package I'll add it to
> > dla-needed. From the description it looks like one can trigger
> > a denial of service without being authenticated. That sounds
> > pretty severe to me.
> 
> I'll just go ahead and reserve an update for stretch then. Do you
> think this is something that'd warrant a DSA, too? If not, I'll just
> open -pu bugs and get 'em dome.

It won't warrant a DSA, but note that elog will be removed on the next
buster and bullseye point releases:

https://bugs.debian.org/1010196
https://bugs.debian.org/1010197

Regards,
Salvatore

Reply to:

References:
- CVE-2020-8859 for elog, should we support it?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Anton Gladky <gladky.anton@gmail.com>
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>

Prev by Date: Re: CVE-2020-8859 for elog, should we support it?
Next by Date: gpac end-of-life in stretch (and recommendation for buster/bullseye)
Previous by thread: Re: CVE-2020-8859 for elog, should we support it?
Next by thread: fis-gtm and support?
Index(es):
- Date
- Thread