Hi, On Fri, Feb 23, 2024 at 02:51:34AM +0100, Christoph Anton Mitterer wrote: > Hey there. > > I've just noted that: > > https://security-tracker.debian.org/tracker/source-package/libgit2 > > lists CVE-2024-24577 as fixed for unstable (and CVE-2024-24575 is only > listed in the resolved list). > > However, there still *is* a: > $ apt-cache policy libgit2-1.5 > libgit2-1.5: > Installed: 1.5.1+ds-1 > Candidate: 1.5.1+ds-1 > Version table: > *** 1.5.1+ds-1 500 > 500 http://deb.debian.org/debian unstable/main amd64 Packages > 100 /var/lib/dpkg/status > > in unstable, in addition to: > $ apt-cache policy libgit2-1.7 > libgit2-1.7: > Installed: 1.7.2+ds-1 > Candidate: 1.7.2+ds-1 > Version table: > *** 1.7.2+ds-1 500 > 500 http://deb.debian.org/debian unstable/main amd64 Packages > 100 /var/lib/dpkg/status > > And the version 1.5.1+ds-1 seems unfixed as far as I can tell from the > changelog.
This is because libgit2-1.5 cannot be removed from unstable since ripasso-cursive (rust-ripasso-cursive needs to be rebuild, so to pick the new libgit2 built binary package): | $ dak rm --suite=unstable -n -R -b libgit2-1.5 | Will remove the following packages from unstable: | | libgit2-1.5 | 1.5.1+ds-1 | amd64, arm64, armel, armhf, i386, mips64el, ppc64el, riscv64, s390x | | Maintainer: Utkarsh Gupta <utka...@debian.org> | | ------------------- Reason ------------------- | | ---------------------------------------------- | | Checking reverse dependencies... | # Broken Depends: | rust-ripasso-cursive: ripasso-cursive | | Dependency problem found. Unfortunately that cannot be rsolved (which would be rebuild against the new libgit2 so that the archive software can decruft the old version), since #1056253 exists, and rust-ripasso-cursive FTBFS. The issue is fixed in the source package, and that is what is of interest for the security-tracker. Regards, Salvatore