1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • open security issues in the git packages

    From Thorsten Glaser@21:1/5 to All on Thu Jan 19 00:50:01 2023
    Hi Jonathan,

    are you planning to fix the open security issues in git?
    In addition to the two new ones from… last week I think,
    given Ubuntu LTS-security has been carrying the fixes for
    8 days now, there’s another four issues in stable that
    are fixed in testing/sid (newer versions?) and oldstable
    (LTS team) that need fixing, according to the security
    tracker. The versions in Debian and *buntu don’t exactly
    match, but perhaps appropriate patches for the respective
    versions are available, or they apply with little fuzz?

    In addition the bullseye-backports version is horribly
    outdated with respect to testing (13 months old). Roger,
    what are you planning to do about that? Please update or
    (less ideally) ask for removal; the current state is a
    disservice to users and violates the bpo rules.

    Thanks in advance,
    //mirabilos
    --
    Infrastrukturexperte • tarent solutions GmbH
    Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
    Telephon +49 228 54881-393 • Fax: +49 228 54881-235
    HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
    Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeremy Stanley@21:1/5 to Thorsten Glaser on Thu Jan 19 15:50:01 2023
    On 2023-01-18 23:34:37 +0000 (UTC), Thorsten Glaser wrote:
    [...]
    The versions in Debian and *buntu don’t exactly match, but perhaps appropriate patches for the respective versions are available, or
    they apply with little fuzz?
    [...]

    Just a data point around this, I spent a good chunk of yesterday
    porting Ubuntu's 22-patch series for CVE-2022-23521 and
    CVE-2022-41903 from the 1:2.25.1-1ubuntu3.7 package in focal-updates
    to the 1:2.30.2-1 in bullseye. The only patch my colleagues and I
    found which needed adjustment was 0012, and for that I was able to
    apply upstream commit 3c50032 directly instead.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmPJTf5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCmaXw//bOBmYOnzNaOlJ5pMyQyA61wX9g5YNUeKR/hcW0t29rR92CQfSVNWvipo dgQBSRfCsLgRxzAvSTws0G6aa2UaV95jqXsBdsh0KIiBzOw7HPcOtpmAkQp3jIJr pTuVFDGFtohkU/aAX7ga3vx52l0lmduv7GSeknW/LekecH9JtTGWwqwuCJ9dxvMg G0OYvVLim8XSqhZ0vlYrFd39s9I4a6SVk7TawdImEEIrYV0GhquQARMrohgpW11z qPNg8U4wzNGLQvGuBzcPOzv1UD4CrapL9JSmU+RkILrcJaiETZTIoDMxrO3tvL9y xHEq1Gh1oHMl2ZxkwdcNFr2FgMUH/t2WNLbQMuWcCt6W6N+/k+KXUpEOKrPvHDAu 6Kq4DYY633eTIFeadOadqEDnsdzeIf6PMY8KFtN7g2+TYBa1jN5+Y4mCQvCH5/zJ yBvy0u5dzRQK+F42U+tQbRSHQNjrs2bbuIGN4kzwMEJM097SXcoTk1uncl55vD1J OvZs4a56Ei7KU+ewI/zjNpKUBa4xY/BHQ7hqbJnCNXnunGSoR7xAKTwqXnN2H4WA sxgixKD9Rqymm+vqe6faTFgo7ZW+y9MnwcPlqtK1KZ0lxpmqBBo6C3+JNZjQJw6f ehJCwsZGyehgeXJCsn8PC3tfSztUD+TUKn8Q+7rFmHhaR8l3fyA=
    =wRsy
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32
  • From Jeremy Stanley@21:1/5 to Jeremy Stanley on Thu Jan 19 18:50:01 2023
    On 2023-01-19 14:04:52 +0000 (+0000), Jeremy Stanley wrote:
    [...]
    The only patch my colleagues and I found which needed adjustment
    was 0012, and for that I was able to apply upstream commit 3c50032
    directly instead.

    Ubuntu has issued https://ubuntu.com/security/notices/USN-5810-2 now
    covering the lack of completeness we alerted them to in their patch
    0012 for focal and bionic, so definitely don't use their original
    patch straight.
    --
    Jeremy Stanley

    -----BEGIN PGP SIGNATURE-----

    iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmPJgQRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCm9QBAAh1IhgcKGT9aueYhrUwhmYM0AyvTRVGIiJlkc4PCDB8QC5HykHfQGLyQP L1CN9BAW+tN8bKtf4/gP9J6UXLU+MmNEr0YzR1NHgz1n4GBbWKNwyjtKw4aH/kPP vgjWANJH4emQ0MSrCOqO5bYI0NGr1QgA5ho6WWimhLvu/db1Em/ukcAfwfTUjh1f 1YNHsR4p68sXtorQTdaTergO5LAQw20DZL8YQpifoiQZqPwDNhVw0LhKHwhY0uBV Pwkj209cL4YlvnBlpQCgp6ZbQthDlMnUo/q3YhyU2INlwdnJsg6w/P8albZ5yQvN /huJQ2pliG8rPRersaJc+NvyUIvR0rEowa6IutLmaPlDtn1BK44Jjpxsl3yUgTXb j0NyVQwMCfdfHPm3hKS/8X0b6NkPndIv9ua6YPFyIbAl526kzIfpHzbws1Mbb2PP JlhEER4KQU4f34gj5t/MFa2TDGm3Ap8nSBgQsMKFpHF31smTCV+oEpQoO5dMEjWl eJE3NHxhavq/JcseKUEuZwRRH75MNpcg0JiWW6oIWVP/o+nOnZ7TC0zcbb4/WVub FbFFrlc8ik28eB5Eix3PW5K5VuHtvjPs/VEoY8VVwHfqIu9PFtdjEXFeoAyecvsE mcHSLL8oF4gn0EuPm8byGy1CBja2kXMx8lGT/ilErs6OeOuya4M=
    =fE2P
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32