Re: vulnerable libgit2 in unstable
Hi,
On Fri, Feb 23, 2024 at 02:51:34AM +0100, Christoph Anton Mitterer wrote:
> Hey there.
>
> I've just noted that:
>
> https://security-tracker.debian.org/tracker/source-package/libgit2
>
> lists CVE-2024-24577 as fixed for unstable (and CVE-2024-24575 is only
> listed in the resolved list).
>
> However, there still *is* a:
> $ apt-cache policy libgit2-1.5
> libgit2-1.5:
> Installed: 1.5.1+ds-1
> Candidate: 1.5.1+ds-1
> Version table:
> *** 1.5.1+ds-1 500
> 500 http://deb.debian.org/debian unstable/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> in unstable, in addition to:
> $ apt-cache policy libgit2-1.7
> libgit2-1.7:
> Installed: 1.7.2+ds-1
> Candidate: 1.7.2+ds-1
> Version table:
> *** 1.7.2+ds-1 500
> 500 http://deb.debian.org/debian unstable/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> And the version 1.5.1+ds-1 seems unfixed as far as I can tell from the
> changelog.
This is because libgit2-1.5 cannot be removed from unstable since
ripasso-cursive (rust-ripasso-cursive needs to be rebuild, so to pick
the new libgit2 built binary package):
| $ dak rm --suite=unstable -n -R -b libgit2-1.5
| Will remove the following packages from unstable:
|
| libgit2-1.5 | 1.5.1+ds-1 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x
|
| Maintainer: Utkarsh Gupta <utkarsh@debian.org>
|
| ------------------- Reason -------------------
|
| ----------------------------------------------
|
| Checking reverse dependencies...
| # Broken Depends:
| rust-ripasso-cursive: ripasso-cursive
|
| Dependency problem found.
Unfortunately that cannot be rsolved (which would be rebuild against
the new libgit2 so that the archive software can decruft the old
version), since #1056253 exists, and rust-ripasso-cursive FTBFS.
The issue is fixed in the source package, and that is what is of
interest for the security-tracker.
Regards,
Salvatore
Reply to: