On 10.10.23 11:53, Bastien Roucariès wrote:
All of that said, it is interesting to me that fairly recently (at the end of August) the ring package in buster was updated to fix 23 CVEs, but this particular CVE was left open. Perhaps it would be worthwhile to find out from Thorsten (who prepared the most recent update) why that decision was made.Thorsten could you hint use about this bug on buster ?
On the one hand the fix for the other CVEs took quite some time and on the other hand the patch for this CVE didn't look that easy, so I uploaded with the last CVE left open. It is "just" a DoS and a rather old CVE, so I was afraid that my patch would do more damage than good. Moreover I am not an openssl expert, so we are where we are now.
Thorsten