Re: CVE-2023-41105 not fixed in bookworm
Im just going to state this and let yall figure it out. Security Exploits / CVE? Look no matter what OS, or SOFTWARE you run on your electronics hardware. At the end of the day, Electronics has a fatal flaw. And cannot be secured. That flaw has been known about since Electronics was invented / discovered. And any notion of " Security " of electronics, or software operating on electronics. Is a delusional thought. On Sun, Mar 10, 2024 at 9:59 AM Salvatore Bonaccorso wrote: > Hi, > > On Fri, Mar 01, 2024 at 09:11:34AM +0100, Richard van den Berg wrote: > > Dear security team, > > > > May I ask why CVE-2023-41105 was marked as " (Minor issue)"[1] ? > > > > As the CVE description says there are plausible cases where this can > lead to > > security issues. > > > > There is a backport available for python 3.11 and it seems most other > > distros have patched this CVE. > > The current open issues for python3.11 in bookworm do not warrant a > DSA on it's own, but that does not mean that they cannot be fixed > (though someone needs to step up and do the work). > > The current three open CVEs CVE-2023-24329, CVE-2023-40217 and > CVE-2023-41105 could be batched together and fixed in a point release > (there is one upcoming on 2024-04-06, whith the window for uploads > closing the preceeding weekend). > > Regards, > Salvatore > >
Re: CVE-2023-41105 not fixed in bookworm
Hi, On Fri, Mar 01, 2024 at 09:11:34AM +0100, Richard van den Berg wrote: > Dear security team, > > May I ask why CVE-2023-41105 was marked as " (Minor issue)"[1] ? > > As the CVE description says there are plausible cases where this can lead to > security issues. > > There is a backport available for python 3.11 and it seems most other > distros have patched this CVE. The current open issues for python3.11 in bookworm do not warrant a DSA on it's own, but that does not mean that they cannot be fixed (though someone needs to step up and do the work). The current three open CVEs CVE-2023-24329, CVE-2023-40217 and CVE-2023-41105 could be batched together and fixed in a point release (there is one upcoming on 2024-04-06, whith the window for uploads closing the preceeding weekend). Regards, Salvatore
[SECURITY] [DSA 5638-1] libuv1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5638-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 10, 2024https://www.debian.org/security/faq - - Package: libuv1 CVE ID : CVE-2024-24806 Debian Bug : 1063484 It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. For the oldstable distribution (bullseye), this problem has been fixed in version 1.40.0-2+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.44.2-1+deb12u1. We recommend that you upgrade your libuv1 packages. For the detailed security status of libuv1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libuv1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXtrrFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TOBw//UDY7qqzhavYjzvVxQ6ka9PGfBLJcRXhMjpwH5JxR6T0KOqCQkasoXCxm NTSzczr0zrtU4Hdtv6tb/E5QfemTpdEfMOtuuKxhQ3jrQNjnqtfDD5ouomrckxMc PtB3SsJ0e1BV97ORDEqrym39VQTIaVgxdZwXU5/mcqaboZx8uxv8XjaDURhAU1eY z5PDno6bTg/zL7bSSugTnxSPHwokv4FICxaG8rR6y6drbI7hndsx+LL+sXs426O8 xDzro+deanl3i9kdXxQujhTxJA+7vUTeaCl8rLFs7kOyNxDbCVADYc+Cc0h8Z0xn v/xNDYkIMprGcUx2QgW9mwfDgKGxDVtltPwb6oIBsKzrYBF/gVUqM5aym3VquS8n +lL7+uA0ZHKMxeQRrCtHCIoDUAhjVarQPqbxIX92tftSIRHU7e8Qfmyo7PdbPs9U C4zUUwIwQ6UtRR8OWIKE8IFa+BRxL2/3KCDjDvpK60VUfanRqdF7zcvifFQMw9mq J/s/IIY6Unhvk9/6QSKrNiaLnFBOVBZ4E4A5OU6W1KAKvixlH8bmv0XCgrlDr2fx /7+Xn8wNA86qPAd9/t6DAVzyjdlis+P6LYzAfrAguWQQS0xkDW+5OQqV3wyKvK1m 9PRJK4vfmiX5kw+VclGbJM4ToaKOLbSlns/QNhHuRw2RDem0/+s= =ai3N -END PGP SIGNATURE-