Hi Hilko On Wed, May 05, 2021 at 12:06:09AM +0200, Hilko Bengen wrote: > * Salvatore Bonaccorso: > > > CVE-2021-3504[0]: > > | Buffer overflow when provided invalid node key length > > > > Making the severity RC as I think the fix needs to go into bullseye. > > Right. > > I contacted team@security.d.o a about the issue, including a proposed > hivex/1.3.18-1+deb10u1 for stable-security a few days ago, but I'm not > aware of getting an answer.
Yes, we have not yet replied to it, saw the mail but there were more pressing issues to work on, sorry about that. A bit orthogonal to the choosen severity for this bug to make it land in bullseye, my gut feeling here is that we might just let the fix go in via an upcoming point release, instead of fixing it via a DSA. > Preparing a request for pre-approval/unblocking of 1.3.20-1 for the > release team now. Thank you sounds like a good plan and asw the pre-approval unblock request happened already, so thank you. Regards, Salvatore
