Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable
Hi Salvatore,
On Thu, 27 Jan 2022 14:42:21 +0100
Salvatore Bonaccorso <carnil@debian.org> wrote:
> > policykit-1 in testing is noted as vulnerable but its version
> > 0.105-31.1~deb12u1 fixed CVE-2021-4034.
> >
> > Will the data in security-tracker be updated automatically?
>
> I'm aware of that, but I have not added a fixed version explicitly for
> testing, as this was not meant to be done this way. 0.105-31.1~deb12u1
> was only uploaded to bookworm directly as the unstable->testing
> migration had to be stopped due to #1004272 due to the urgency of
> CVE-2021-4034.
So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix
should be delivered as usual proper way, right?
And some people say "testing is vulnerable as security-tracker says"
- but I want to confirm that it's not.
You've pointed #1004272 as "binutils: missing RELRO header", does it
affect policykit-1? (or maybe affects more widely?)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272
--
Hideki Yamane <henrich@iijmio-mail.jp>
Reply to: