[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Vulnerable git in bullseye - what's the process?

On Fri, Jan 27, 2023 at 04:56:31PM +0000, Tixy wrote:
> On Fri, 2023-01-27 at 11:28 +0000, Brad Rogers wrote:
> > The security-tracker CVE page you cited has links to all the
> > information you requested.
> 
> Does it? It links to a bug which says it's been fixed in sid. And the
> PTS shows it was fixed yesterday in old-stable and sid. But no sign I
> can see that anything is being done for stable (Bullseye) which is what
> Sijmen asked about. (I wouldn't know where to look for stable security
> update activity).

The inner workings of the security team are not open to the public.
The CVE tracker gives all of the information that anyone outside of
the security team knows.

In the case of <https://security-tracker.debian.org/tracker/CVE-2022-41903>
what it tells us is that the bug has been fixed in buster, but not yet
in bullseye or bookworm.

Nobody is going to have any more details than that, until the security
team releases their fix for stable, or until the sid package migrates
into bookworm via natural processes.
Reply to: