Hi László, On Sun, Mar 26, 2023 at 04:13:01PM +0200, László Böszörményi wrote: > Hi, > > On Fri, Mar 17, 2023 at 7:54 PM László Böszörményi (GCS) <g...@debian.org> > wrote: > > On Thu, Mar 16, 2023 at 11:15 PM Moritz Mühlenhoff <j...@inutil.org> wrote: > > > Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff: > > > > CVE-2019-11939: > > > > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 > > > is this fixed in Bookworm? > > I let the Security Team decide how this should be treated. I will try > > to describe it in full and short. > Friendly ping, how the Security Team sees this issue. I've provided > insights [1] and tend to think it's safe for Bullseye and later.
Strictly speaking if the code base diverged, CVE-2019-11939 would be for facebook's fbthrift only. If Apache thrift has a similar issue, which is my understanding of the THRIFT-5322 then it would need a own CVE, which does not seem to exist (In some cases a CVE might be used by multiple projects even if the code base is not the same). I'm leaning to mark CVE-2019-11939 as NFU for facebook fbthrift specifically, and let alone the Apache Thrift issues for similar case. Given the issue would be no-dsa for bullseye and fixed in bookworm I would not do anything particular unless a CVE get assigned. Moritz, do you agree? Regards, Salvatore