Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hi John, On Fri, May 24, 2024 at 01:57:01PM -0400, John Waffle wrote: > Hello, > > I was thinking about this a bit more and I had a question, > > > Let me as well elaborate on the "ingored". This comes as the binary > packages built from the *vulnerable* source, there is no point to force an >

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hello, I was thinking about this a bit more and I had a question, > Let me as well elaborate on the "ingored". This comes as the binary packages built from the *vulnerable* source, there is no point to force an update in bookworm and older. It sounds like Debian uses the "ignored" state to mean

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hello, I got a response from trivy, https://github.com/aquasecurity/trivy/discussions/6722#discussioncomment-9518531 > Helllo @superlazyname > Thanks for your report! > As you can see - we marked this vulnerability as "Status": "will_not_fix", . > We use

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hi John, On Fri, May 17, 2024 at 04:01:56PM -0400, John Waffle wrote: > This report came from a free tool, trivy, I filed a Github discussion about > it here: https://github.com/aquasecurity/trivy/discussions/6722 Thanks a lot for bringing that upstream. So to add some additional datapoint: The

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

This report came from a free tool, trivy, I filed a Github discussion about it here: https://github.com/aquasecurity/trivy/discussions/6722 On Fri, May 17, 2024 at 12:08 PM Salvatore Bonaccorso wrote: > Hi, > > On Fri, May 17, 2024 at 10:43:26AM -0400, John Waffle wrote: > > Package: zlib > >

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hi, On Fri, May 17, 2024 at 10:43:26AM -0400, John Waffle wrote: > Package: zlib > Version: 1:1.2.13.dfsg-1 > > Related bug reports: > - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290 > - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056718 > > These were marked as resolved but

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

On Fri, May 17, 2024 at 10:56:53AM -0400, John Waffle wrote: > Hi Mark, > > How do I get in contact with them, should I just send a message to > secur...@debian.org? Yes. signature.asc Description: PGP signature

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Hi Mark, How do I get in contact with them, should I just send a message to secur...@debian.org? Thanks, - J On Fri, May 17, 2024 at 10:54 AM Mark Brown wrote: > On Fri, May 17, 2024 at 10:43:26AM -0400, John Waffle wrote: > > > - The zlib package page https://tracker.debian.org/pkg/zlib says

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

On Fri, May 17, 2024 at 10:43:26AM -0400, John Waffle wrote: > - The zlib package page https://tracker.debian.org/pkg/zlib says that > CVE-2023-45853 > is ignored, what is the basis for ignoring this CVE? > - Is there a plan to backport

Bug#1071276: Is 1:1.2.13.dfsg-1 affected by CVE-2023-45853, and if it is, will 1:1.3.dfsg-3.1 be backported to bookworm?

Package: zlib Version: 1:1.2.13.dfsg-1 Related bug reports: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056718 These were marked as resolved but it seems like I'm getting some contradictory information. - The zlib package page