pound: CVE-2018-21245
Hi,
tl;dr: CVE-2018-21245 is actually CVE-2016-10711.
I've just stumbled over
https://security-tracker.debian.org/tracker/CVE-2018-21245
concering the package "pound", where the notes say:
> https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html
> check, unclear exact scope and if fixed with the same fixes as
> CVE-2016-10711
The upstream release announcement pointed to with the URL refers to
CVE-2016-10711. The fixes for CVE-2016-10711 used in Debian and
elsewhere are actually a backport of the security relevant changes
between pound 2.7 and 2.8a (pre-release of 2.8). From 2.8a to 2.8 there
was only a small change.
See https://salsa.debian.org/debian/pound/-/commits/upstream for
upstream change details.
Hope this helps,
Carsten
Reply to: