Bug#1068798: bookworm-pu: package fdroidserver/2.2.1-1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: fdroidserver@packages.debian.org, Hans-Christoph Steiner <hans@eds.org>
Control: affects -1 + src:fdroidserver
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
There was a security problem reported against fdroidserver:
https://www.openwall.com/lists/oss-security/2024/04/08/8
[ Impact ]
Stable users of fdroidserver running their own repo could be tricked
into providing wrongly signed files.
[ Tests ]
Manual test on F-Droid internal datasets as well as automated tests
inside fdroidserver.
[ Risks ]
Low, the relevant code is only used to extract and verify signatures.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
[ Changes ]
The patch reorders the code as well as changes the code of the imported
androguard library.
[ Other info ]
Upstream is still working on a long term fix that will be uploaded to
unstable later. I agreed with upstream to use use the patch provided in
the mail on oss-security already now.
Reply to: