Hi, On Sat, Jan 20, 2024 at 03:53:45PM +0100, Andreas Metzler wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:gnutls28 > > Hello, > > I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a > oldstable-updates since they do not require a DSA.
Only a small remark about the CVE tracking, no direct need to change anything: CVE-2024-0553 exists because of an incomplete fix of CVE-2024-0553, so technically weh ave that incomplete fix not yet in any official bullseye release (apart the bullseye-pu). For the security-tracker so I tend to consider CVE-2024-0553 not-affected for bullseye, but then CVE-2023-5981 only fixed in 3.7.1-5+deb11u5 rather than 3.7.1-5+deb11u4. For that I have done the following two commits: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f30f93b036b864eb245daf7dec5f70a824a7fb5c https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd218ec683140739797aa973d354e00b8660e9b Let me know if you diagree and we should revert that to track all 3 CVEs for gnutls28 in bullseye. Regards, Salvatore