Hi, The last two hours I tried to fix CVE-2022-46871 by backporting the timer handling patch by patch until I get something approximativly sane. If believe it is not really the way to go: - it is quite fragile - upstream does not correctly create separate commit and create periodic merge from Freebsd (huge commit) - in all the case it break ABI and will need a rebuild of rdeps (public structure changes, function changes) - in will need other patch in order to fix the last parts, that cancel timer depending of packet type. - reading upstream commit, I see other interesting fixes like not checking return of sprintf - test suite does not test all the cases For me the safest way will be to backport the bulleyes version to buster and rebuild if needed the rdeps I want to have some piece of advice on it. Bastien
Attachment:
signature.asc
Description: This is a digitally signed message part.