Re: bson CVEs in (E)LTS

To: Sylvain Beucler <beuc@beuc.net>
Cc: Adrian Bunk <bunk@debian.org>, Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, security@debian.org
Subject: Re: bson CVEs in (E)LTS
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 31 Mar 2025 23:18:27 +0200
Message-id: <[🔎] Z-sGo82J44dkZLeM@eldamar.lan>
Mail-followup-to: Sylvain Beucler <beuc@beuc.net>, Adrian Bunk <bunk@debian.org>, Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, security@debian.org
In-reply-to: <[🔎] 186228c4-bfe3-4a69-9355-0780b513f28e@beuc.net>
References: <[🔎] Z+qfgRASfBmmpuuA@localhost> <[🔎] Z-ql8AxNRrnPTO3-@localhost> <[🔎] 7b5f1e3a-ad6d-4c7c-b387-8ea7ec000bc1@beuc.net> <Z+qtO/UHOkUdsrcu@localhost> <[🔎] 186228c4-bfe3-4a69-9355-0780b513f28e@beuc.net>

Hi,

On Mon, Mar 31, 2025 at 07:39:55PM +0200, Sylvain Beucler wrote:
> Hi,
> 
> On 31/03/2025 16:56, Adrian Bunk wrote:
> > On Mon, Mar 31, 2025 at 04:42:59PM +0200, Sylvain Beucler wrote:
> > > ...
> > > Do we want to update data/embedded-code-copies to reference libbson-xs-perl?
> > > 
> > > e.g.
> > > diff --git a/data/embedded-code-copies b/data/embedded-code-copies
> > > index 19611b261b..77696af1af 100644
> > > --- a/data/embedded-code-copies
> > > +++ b/data/embedded-code-copies
> > > @@ -3524,9 +3524,9 @@ bootstrap-markdown.js (not packaged in Debian; no ITP)
> > >   libjs-chartkick.js
> > >          - python-chartkick <unfixed> (embed; bug #836577)
> > > 
> > > -libbson
> > > -       - mongo-c-driver <unfixed> (embed)
> > > -       NOTE: src:mongo-c-driver builds as well libbson binary package and
> > > superseeds src:libbson
> > > +mongo-c-driver
> > > +       - libbson-xs-perl <unfixed> (embed)
> > > +       NOTE: src:mongo-c-driver builds as well libbson binary package and
> > > superseeds src:libbson/stretch
> > > ...
> > 
> > For ELTS having libbson there would be useful:
> > 
> > mongo-c-driver
> >    - libbson <removed> (embed)
> >    - libbson-xs-perl <unfixed> (embed)
> 
> If the Security Team agrees, let's keep libbson indeed :)
> 
> Otherwise, since mongo-c-driver is basically libbson's next (expanded)
> version of the package, and libbson is removed since stretch, I referenced
> it in renamed-packages.elts for tracking:
> https://salsa.debian.org/freexian-team/extended-lts/security-tracker/-/commit/c253f47c1b82fc8f40729aaf3cf5b4a8731115b9
> 
> (libbson-xs-perl however doesn't fit renamed-packages* and still needs to be
> handled as embedded copy.)

For now have added the information that libbson-xs-perl embedds
mongo-c-driver.

Regards,
Salvatore

Reply to:

References:
- bson CVEs in (E)LTS
  - From: Adrian Bunk <bunk@debian.org>
- Re: bson CVEs in (E)LTS
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: bson CVEs in (E)LTS
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: bson CVEs in (E)LTS
  - From: Adrian Bunk <bunk@debian.org>
- Re: bson CVEs in (E)LTS
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Debian LTS and ELTS report: February 2025
Next by Date: Re: Bug#1082927: flatpak [LTS]: CVE-2024-42472: sandbox escape for apps with --persist=DIR permission
Previous by thread: Re: bson CVEs in (E)LTS
Next by thread: Re: bson CVEs in (E)LTS
Index(es):
- Date
- Thread