Hi Gregor, On Sat, Feb 18, 2023 at 12:56:39AM +0100, Gregor Jasny wrote: > Hi Salvatore, > > On 17.02.23 21:31, Salvatore Bonaccorso wrote: > > The following vulnerability was published for c-ares. > > > > CVE-2022-4904[0]: > > | buffer overflow in config_sortlist() due to missing string length check > > I uploaded a fixed package for sid and prepared an update for bullseye and > buster:
Perfect thanks for the upload to unstable. Can you monitor the situation and make sure the fix land in upcoming bookworm? We are now in soft freeze (cf. https://lists.debian.org/debian-devel-announce/2023/02/msg00003.html). > https://salsa.debian.org/debian/c-ares/-/commits/bullseye/ > https://salsa.debian.org/debian/c-ares/-/commits/buster/ > > Are you a member of the Debian Security team and could give me the green > light to upload those two packages into the "security upload queue". Thanks for peparing them. Yes I am. We have assessed the issue to be no-dsa (see the security-tracker CVE page), but a fix would be very welcome in bullseye as well via a point release, can I route you trough that path? https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions That said, I cannot say about buster, which is now in LTS team hands. I do not see a no-dsa tag but as well not listed it in the dla-needed file (triaging in LTS context has probably not yet happened there). But I suggest to propose the LTS update accordingly to the LTS team. You can there either do all alone (including the DLA release), or ask for help in the "paper work" part, and ask a LTS team member to release the advisory, you doing the upload. https://lts-team.pages.debian.net/wiki/Development.html conains information, but as said, you can simply as well just propose the update, debdiff and prepare the package update only, there is no requirement you need to do as well the organizational and DLA advisory releasing part involving the variuous steps. Thanks already! Regards, Salvatore