Package: sudo Version: 1.9.13p3-1+deb12u3 Severity: important Dear Maintainer,
I am writing regarding CVE-2023-42465, which remains unresolved for the sudo package in Debian bookworm (1.9.13p3-1+deb12u3), as reflected in the Debian security tracker [1]. The upstream fix [2] (included in sudo 1.9.15p1) hardens the codebase against rowhammer-based fault injection attacks. The notes in the debian CVE tracker page for this CVE mentions that the code in the commit that fixes this is not part of the debian binary as debian uses PAM, but the source package would still remain vulnerable for any non-PAM builds. Could you please clarify whether there is a technical blocker preventing a backport of the relevant changes from the upstream fix to the bookworm package? [1] https://security-tracker.debian.org/tracker/CVE-2023-42465 [2] https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f Thanks and Regards, Adithya Balakumar
