Control: reopen -1 Hi Thomas,
On Fri, May 07, 2021 at 01:21:39AM +0200, Thomas Goirand wrote: > On 5/6/21 9:03 PM, Salvatore Bonaccorso wrote: > > close 985104 2:17.1.1-1 > > thanks > > > > Apparently, following https://bugs.launchpad.net/neutron/+bug/1902917 there > > is > > disagreement on if the issue was incompletely fixed or not but still > > upstream > > seems to have considered CVE-2021-20267. > > > > OpenStack maintainers, double-check as well please. > > > > Regards, > > Salvatore > > Hi Salvatore, > > To me, the issue isn't fixed upstream. The patch at: > https://review.opendev.org/c/openstack/neutron/+/783743 > > hasn't been merged. I expect it to be backported by upstream to the > version in Bullseye. > > Probably it would be more reasonable to wait until the patch is merged > upstream before we/I apply it in Debian. Thanks for confirming my suspect. After reading the bug, in my understanding it was meant to be fixed in 17.1.1 until then (around comment #17 it was found that the fixes are not yet fixing the issue completely, so upstream as well decided to not publish an advisory). Let's reopen the bug and revert the fixed version as well in the security-tracker. Thanks for you diligent work on the OpenStack package ecosystem. Regards, Salvatore