tis 2021-04-20 klockan 20:32 +0200 skrev Moritz Muehlenhoff: > Package: libgsoap-2.8.104 > Version: 2.8.104-2 > Severity: important > File: gsoap > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > This was assigned CVE-2021-21783: > https://talosintelligence.com/vulnerability_reports/TALOS-2021-1245 > > Cheers, > Moritz
Hi Moritz. I can not fully comprehend this bug report. If I read the CVE-2021-21783 report, it basically says: We have noticed that the vulnerability we previously reported (CVE-2020-13576) was not fixed. We have therefore resubmitted it. We have investigated the following versions: Genivia gSOAP 2.8.109 Genivia gSOAP 2.8.110 However, the fix for CVE-2020-13576 was in gSOAP 2.8.111, so that this was still present in the two tested versions is expected. The page for previous CVE-2020-13576 does claim that it was fixed in an upstream release on 2020-11-20, which corresponds to version 2.8.109. I do not think this statement is correct. From my understanding of comparing the reported fault (including code snippets) with the changes to the source repository, I understand it to have been fixed in version 2.8.111, and not in 2.8.109 as the report claims. Since the reported fixed version in incorrect I can see why it was reported again. I think the reason for the wrong fixed version in the previous report is that the other 4 CVEs reported against gsoap at the same time (CVE-2020-13574, CVE-2020-13575, CVE-2020-13577 and CVE-2020-13578) were indeed fixed in version 2.8.109. So someone might just put the same fixed date on all 5 reports. The fix for CVE-2020-13576 from version 2.8.111 is already applied as a patch in the debian package version gsoap/2.8.104-3. And if this new CVE is indeed a duplicate there is nothing more to fix. Mattias
signature.asc
Description: This is a digitally signed message part