Hi Adrian,

On Tue, Jun 09, 2026 at 07:39:30AM +0200, Salvatore Bonaccorso wrote:
> Hi Adrian,
> 
> On Mon, Jun 08, 2026 at 04:48:15PM +0300, Adrian Bunk wrote:
> > On Sat, Apr 25, 2026 at 02:15:17PM +0200, Salvatore Bonaccorso wrote:
> > > Control: severity -1 grave
> > > 
> > > On Sat, Apr 04, 2026 at 05:21:06PM +0200, Salvatore Bonaccorso wrote:
> > > > Source: py-lmdb
> > > > Version: 1.4.1-3
> > > > Severity: important
> > > > Tags: security upstream
> > > > Forwarded: https://github.com/jnwatson/py-lmdb/issues/210
> > > > X-Debbugs-Cc: [email protected], Debian Security Team 
> > > > <[email protected]>
> > > > Control: found -1 1.4.0-1
> > > > Control: found -1 1.0.0-1
> > > > 
> > > > Hi,
> > > > 
> > > > The following vulnerabilities were published for py-lmdb.
> > > [...]
> > > 
> > > While the issues are arguably not really RC, in Debian we have almost
> > > back to trixie the 1.4.1 based version. Upstream has addressed the
> > > CVEs, so raising the severity to RC to make sure the fix land in forky
> > > (for trixie an bookworm the issues still can be considered no-dsa and
> > > could be fixed in a point release).
> > 
> > These issues are in the bundled lmdb copy[1] that is not used in the 
> > Debian package, so that's rather minor/unimportant for py-lmdb.
> > 
> > The PoCs for all 5 CVEs reproduce[2] with lmdb/sid and not anymore after 
> > applying the patches.
> > 
> > I can prepare an NMU for lmdb, but what CVE numbers to use?
> > Can the 5 CVEs get reassigned to lmdb where they belong, or will there 
> > be new CVEs?
> > 
> > One of the CVEs might have been forwarded to lmdb upstream.[3]
> 
> I will have a look at this in the next few days and come back to you.

I cloned the bug, as the issue is in src:lmdb, ideally this get
properly fixed first in upstream.

I have applied changes to the security-tracker data as:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b164927fca4b27eb135003967d0f72f10f0c4e

Regards,
Salvatore

Reply via email to