[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2021-4034 in testing seems to be fixed but showed as vulnerable

Hi Salvatore,

On Thu, 27 Jan 2022 14:42:21 +0100
Salvatore Bonaccorso <carnil@debian.org> wrote:
> >  policykit-1 in testing is noted as vulnerable but its version
> >  0.105-31.1~deb12u1 fixed CVE-2021-4034.
> > 
> >  Will the data in security-tracker be updated automatically?
> 
> I'm aware of that, but I have not added a fixed version explicitly for
> testing, as this was not meant to be done this way. 0.105-31.1~deb12u1
> was only uploaded to bookworm directly as the unstable->testing
> migration had to be stopped due to #1004272 due to the urgency of
> CVE-2021-4034.

 So, you mean that 0.105-31.1~deb12u1 is a temporary solution and the fix
 should be delivered as usual proper way, right?

 And some people say "testing is vulnerable as security-tracker says"
 - but I want to confirm that it's not.


 You've pointed #1004272 as "binutils: missing RELRO header", does it
 affect policykit-1? (or maybe affects more widely?) 
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004272


-- 
Hideki Yamane <henrich@iijmio-mail.jp>
Reply to: