Re: Vulnerability Question

2023-06-13 Thread Frank Carr
Thanks for the quick response Russ. I realize most of these vulnerabilities
are pretty unimportant, but this fulfils a compliance requirement for me,
which is to reach out and see if a patch is in the works.

Also, thanks for mentioning Debian 12, I did not realize it had been
released. I will get with the engineers here and have them start testing.

On Tue, Jun 13, 2023 at 11:03 AM Russ Allbery  wrote:

> Frank Carr  writes:
>
> > Hi, I am trying to determine if there are any plans to release a stable
> > patch for Debian 11 that address the following CVEs:
>
> > CVE-2022-3534
> > CVE-2022-3606
> > CVE-2022-3715
> > CVE-2021-45941
> > CVE-2022-3534
> > CVE-2022-3606
> > CVE-2022-4899
> > CVE-2023-29491
> > CVE-2023-2953
> > CVE-2022-1304
> > CVE-2022-31782
> > CVE-2021-33560
> > CVE-2019-6129
> > CVE-2019-20838
> > CVE-2013-4235
> > CVE-2020-13529
>
> I spot-checked several of these via the Debian security tracker at:
>
> https://security-tracker.debian.org/tracker/
>
> (You can enter a CVE into the search box at the bottom.)  The ones I
> checked were all low-priority security vulnerabilities that were fixed in
> the bullseye release (Debian 12).
>
> I can't speak to the security team or package maintainers about their
> plans for a stable update for these or other vulnerabilities, but if
> you're concerned about them, the best way to address them right now would
> be to expedite your upgrade to bullseye.
>
> --
> Russ Allbery (r...@debian.org)  
>


Re: Vulnerability Question

2023-06-13 Thread Russ Allbery
Frank Carr  writes:

> Hi, I am trying to determine if there are any plans to release a stable
> patch for Debian 11 that address the following CVEs:

> CVE-2022-3534
> CVE-2022-3606
> CVE-2022-3715
> CVE-2021-45941
> CVE-2022-3534
> CVE-2022-3606
> CVE-2022-4899
> CVE-2023-29491
> CVE-2023-2953
> CVE-2022-1304
> CVE-2022-31782
> CVE-2021-33560
> CVE-2019-6129
> CVE-2019-20838
> CVE-2013-4235
> CVE-2020-13529

I spot-checked several of these via the Debian security tracker at:

https://security-tracker.debian.org/tracker/

(You can enter a CVE into the search box at the bottom.)  The ones I
checked were all low-priority security vulnerabilities that were fixed in
the bullseye release (Debian 12).

I can't speak to the security team or package maintainers about their
plans for a stable update for these or other vulnerabilities, but if
you're concerned about them, the best way to address them right now would
be to expedite your upgrade to bullseye.

-- 
Russ Allbery (r...@debian.org)