Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1

To: Karsten Schöke <karsten.schoeke@geobasis-bb.de>, 1121776@bugs.debian.org
Subject: Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 06 Dec 2025 16:00:27 +0000
Message-id: <[🔎] 251c55d5553d9f0e9e8ddce938776086ea19cb43.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1121776@bugs.debian.org
In-reply-to: <[🔎] 176468193851.41630.3285168435821278110.reportbug@f-build-deb13-e02.lgb.local>
References: <[🔎] 176468193851.41630.3285168435821278110.reportbug@f-build-deb13-e02.lgb.local> <[🔎] 176468193851.41630.3285168435821278110.reportbug@f-build-deb13-e02.lgb.local>

Control: tags -1 + confirmed

On Tue, 2025-12-02 at 14:25 +0100, Karsten Schöke wrote:
> Fix CVE-2024-23301 for bookworm.
> Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable 
> initrd when using GRUB_RESCUE=y. 
> This allows local attackers to gain access to system 
> secrets otherwise only readable by root.

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1
  - From: Karsten Schöke <karsten.schoeke@geobasis-bb.de>

Prev by Date: Processed: Re: Bug#1121737: bookworm-pu: package unbound/1.17.1-2+deb12u4
Next by Date: Processed: Re: Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1
Previous by thread: Processed: bookworm-pu: package rear/2.7+dfsg-1+deb12u1
Next by thread: Processed: Re: Bug#1121776: bookworm-pu: package rear/2.7+dfsg-1+deb12u1
Index(es):
- Date
- Thread