Hi Gregor,
On Sat, Feb 18, 2023 at 12:56:39AM +0100, Gregor Jasny wrote:
> Hi Salvatore,
>
> On 17.02.23 21:31, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for c-ares.
> >
> > CVE-2022-4904[0]:
> > | buffer overflow in config_sortlist() due to missing string length check
>
> I uploaded a fixed package for sid and prepared an update for bullseye and
> buster:
Perfect thanks for the upload to unstable. Can you monitor the
situation and make sure the fix land in upcoming bookworm? We are now
in soft freeze (cf.
https://lists.debian.org/debian-devel-announce/2023/02/msg3.html).
> https://salsa.debian.org/debian/c-ares/-/commits/bullseye/
> https://salsa.debian.org/debian/c-ares/-/commits/buster/
>
> Are you a member of the Debian Security team and could give me the green
> light to upload those two packages into the "security upload queue".
Thanks for peparing them. Yes I am. We have assessed the issue to be
no-dsa (see the security-tracker CVE page), but a fix would be very
welcome in bullseye as well via a point release, can I route you
trough that path?
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
That said, I cannot say about buster, which is now in LTS team hands.
I do not see a no-dsa tag but as well not listed it in the dla-needed
file (triaging in LTS context has probably not yet happened there).
But I suggest to propose the LTS update accordingly to the LTS team.
You can there either do all alone (including the DLA release), or ask
for help in the "paper work" part, and ask a LTS team member to
release the advisory, you doing the upload.
https://lts-team.pages.debian.net/wiki/Development.html
conains information, but as said, you can simply as well just propose
the update, debdiff and prepare the package update only, there is no
requirement you need to do as well the organizational and DLA advisory
releasing part involving the variuous steps.
Thanks already!
Regards,
Salvatore
