Re: If some package have serious bug and fixed on unstable and testing release, how long it will be available on stable release?
On Sat 30 Jan 2021 at 05:27:30 (+0000), Robbi Nespu wrote:
> On Fri, 29 Jan 2021 10:58:06 -0600, David Wright wrote:
> > https://security-tracker.debian.org/tracker/CVE-2021-3156
> > is a timely example of how Debian deals with such problems.
> > Note in particular the line
> >
> > stretch (security) 1.8.19p1-2.1+deb9u3 fixed
> >
> > showing that stretch's version gets a fix, not an upgrade.
>
> How you can confirm 1.8.19p1-2.1+deb9u3 fix CVE-2021-3156?
The changelog, /usr/share/doc/sudo/changelog.Debian.gz, starts with:
sudo (1.8.19p1-2.1+deb9u3) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* Heap-based buffer overflow (CVE-2021-3156)
- Reset valid_flags to MODE_NONINTERACTIVE for sudoedit
- Add sudoedit flag checks in plugin that are consistent with front-end
- Fix potential buffer overflow when unescaping backslashes in user_args
- Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL
- Don't assume that argv is allocated as a single flat buffer
-- Salvatore Bonaccorso <[…]> Sat, 23 Jan 2021 10:10:33 +0100
> I could not see source code for that version here[1], I only can find
> 1.8.19p1-2.1+deb9u2 . Do source repository for security release are
> separated?
Yes, the sources are for the current distribution, buster. As for
binaries, deb.debian.org/debian will carry the latest point release.
You need to make sure you have security.debian.org/debian-security
in your sources.list so that you receive all the security updates.
The new source is not normally available as such, but as a cumulative
set of patches. So that would be sudo_1.8.19p1-2.1+deb9u3.debian.tar.xz
for stretch.
It can sometimes be confusing for those not used to the Debian Way,
who might judge the security of a package from only the upstream
version number (ie before the hyphen).
> 1. https://sources.debian.org/src/sudo/
Cheers,
David.
Reply to: