Re: Question about CVE fix back-porting to bullseye and bookworm

To: Jim Hodgins <jim.hodgins@broadcom.com>
Cc: team@security.debian.org, backports-team@debian.org, debian-release@lists.debian.org
Subject: Re: Question about CVE fix back-porting to bullseye and bookworm
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 31 Mar 2025 20:23:35 +0000
Message-id: <[🔎] Z-r5x0pPtGvUddPE@inutil.org>
In-reply-to: <CANm_2fcLdqM5=3bFPLwiXHd6z2YGSKHChqe7x33fNhFdTqBj_A@mail.gmail.com>
References: <CANm_2fcLdqM5=3bFPLwiXHd6z2YGSKHChqe7x33fNhFdTqBj_A@mail.gmail.com>

On Mon, Mar 31, 2025 at 01:13:59PM -0700, Jim Hodgins wrote:
> Hi,
> 
> I am wondering if the following CVE's fixed in trixie/sid will be
> backported to bullseye and bookworm?
> 
> https://security-tracker.debian.org/tracker/CVE-2024-38541
> https://security-tracker.debian.org/tracker/CVE-2024-38564
> https://security-tracker.debian.org/tracker/CVE-2024-50061

CVE-2024-50061 is already fixed in the latest Bookworm point release.

For the other two, if you want to see them fixed, you can work
with the maintainers of the 6.1.x LTS kernel tree to accept a
backport:
https://github.com/torvalds/linux/blob/master/Documentation/process/stable-kernel-rules.rst

The subsequent Debian update will then pick up the fix since we follow
the 6.1.x series.

Cheers,
        Moritz

Reply to:

Prev by Date: Bug#1100970: pre-approval: qemu 10.0 for trixie
Next by Date: Bug#1101746: bookworm-pu: package libdata-entropy-perl/0.007-4+deb12u1
Previous by thread: Processed: tagging 1100336
Next by thread: Bug#1101775: bookworm-pu: package varnish/7.1.1-1.1+deb12u1
Index(es):
- Date
- Thread