Hi Adrian, On Tue, Jun 09, 2026 at 07:39:30AM +0200, Salvatore Bonaccorso wrote: > Hi Adrian, > > On Mon, Jun 08, 2026 at 04:48:15PM +0300, Adrian Bunk wrote: > > On Sat, Apr 25, 2026 at 02:15:17PM +0200, Salvatore Bonaccorso wrote: > > > Control: severity -1 grave > > > > > > On Sat, Apr 04, 2026 at 05:21:06PM +0200, Salvatore Bonaccorso wrote: > > > > Source: py-lmdb > > > > Version: 1.4.1-3 > > > > Severity: important > > > > Tags: security upstream > > > > Forwarded: https://github.com/jnwatson/py-lmdb/issues/210 > > > > X-Debbugs-Cc: [email protected], Debian Security Team > > > > <[email protected]> > > > > Control: found -1 1.4.0-1 > > > > Control: found -1 1.0.0-1 > > > > > > > > Hi, > > > > > > > > The following vulnerabilities were published for py-lmdb. > > > [...] > > > > > > While the issues are arguably not really RC, in Debian we have almost > > > back to trixie the 1.4.1 based version. Upstream has addressed the > > > CVEs, so raising the severity to RC to make sure the fix land in forky > > > (for trixie an bookworm the issues still can be considered no-dsa and > > > could be fixed in a point release). > > > > These issues are in the bundled lmdb copy[1] that is not used in the > > Debian package, so that's rather minor/unimportant for py-lmdb. > > > > The PoCs for all 5 CVEs reproduce[2] with lmdb/sid and not anymore after > > applying the patches. > > > > I can prepare an NMU for lmdb, but what CVE numbers to use? > > Can the 5 CVEs get reassigned to lmdb where they belong, or will there > > be new CVEs? > > > > One of the CVEs might have been forwarded to lmdb upstream.[3] > > I will have a look at this in the next few days and come back to you.
I cloned the bug, as the issue is in src:lmdb, ideally this get properly fixed first in upstream. I have applied changes to the security-tracker data as: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b164927fca4b27eb135003967d0f72f10f0c4e Regards, Salvatore

