On Wed, Jun 7, 2023 at 3:58 PM Martin-Éric Racine <martin-eric.rac...@iki.fi> wrote: > > On Wed, Jun 7, 2023 at 3:09 PM Andreas Beckmann <a...@debian.org> wrote: > > > > Package: dhcpcd > > Version: 9.4.1-22 > > Severity: serious > > User: debian...@lists.debian.org > > Usertags: piuparts > > > > wheezy had a dhcpcd binary package built from src:dhcpcd at version > > 1:3.2.3-11+deb7u1 while bookworm has one built from src:dhcpcd5 at > > version 9.4.1-22 which is lower, violating the archive property of > > monotonically increasing version numbers. > > You are talking about a version that is even older than what's in > oldstable. Sorry, but that really doesn't qualify as > Severity:serious. > > This being said, this is something that is easily fixed by > re-introducing the epoch. Whether this is really worth the trouble > given how the discrepancy dates back to something even older than > oldstable is an entirely different issue.
+dhcpcd (1:3.2.3-11+deb7u1) oldstable-security; urgency=high + + * Fix CVE-2012-6698, CVE-2012-6699, CVE-2012-6700, + out-of-bound reads/writes and use-after-free issues with specially + crafted DHCP messages. + This is a forward port of the patch applied to squeeze-lts since + wheezy uses the same upstream version. (LP: #1517226) + + -- Guido Günther <a...@sigxcpu.org> Sun, 27 Mar 2016 15:47:43 +0200 + +dhcpcd (1:3.2.3-11) unstable; urgency=high + + * Security fix, remote stack overflow: CVE-2012-2152. (closes: #671265) + + -- Simon Kelley <si...@thekelleys.org.uk> Thu, 3 May 2012 14:03:12 +0000 These are the very last uploads I could find that used this epoch. I really don't think that we're gonna go there. Martin-Éric