pound: CVE-2018-21245

To: debian-security-tracker@lists.debian.org
Subject: pound: CVE-2018-21245
From: Carsten Leonhardt <leo@debian.org>
Date: Wed, 17 Jun 2020 23:39:08 +0200
Message-id: <[🔎] 87v9jpqsn7.fsf@arioch.leonhardt.eu>

Hi,

tl;dr: CVE-2018-21245 is actually CVE-2016-10711.

I've just stumbled over
https://security-tracker.debian.org/tracker/CVE-2018-21245
concering the package "pound", where the notes say:

> https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html
> check, unclear exact scope and if fixed with the same fixes as
> CVE-2016-10711

The upstream release announcement pointed to with the URL refers to
CVE-2016-10711. The fixes for CVE-2016-10711 used in Debian and
elsewhere are actually a backport of the security relevant changes
between pound 2.7 and 2.8a (pre-release of 2.8). From 2.8a to 2.8 there
was only a small change.

See https://salsa.debian.org/debian/pound/-/commits/upstream for
upstream change details.

Hope this helps,

Carsten

Reply to:

Follow-Ups:
- Re: pound: CVE-2018-21245
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: Re: Stretch-pu
Next by thread: Re: pound: CVE-2018-21245
Index(es):
- Date
- Thread