Hi, On Sat, Dec 2, 2023 at 3:51 PM Roman Veselý <ro...@liten.cz> wrote: > > Dear Maintainers, > > The bug CVE-2023-49298 is here: https://tracker.debian.org/pkg/zfs-linux > marked as LOW PRIORITY for Bullseye and Bookworm. > > Are you planning to fix this bug in Bullseye and Bookworm soon? > > For many users, the fix is important - if the official Debian fix will take > longer, > it's good to know and make the fix yourself. > > Thank you for your support for ZFS in Debian, >
The fix will land in bookworm-backports and bullseye-backports-sloppy shortly after 2.1.14-1 migrates to testing, which will take about 2 days hopefully. Fixes to 2.0.3-9+deb11u1 (bullseye) and 2.1.11-1 (bookworm) are planned but will likely take more time. Such an issue is marked low-priority because the bug itself isn't urgent from a security update point of view, which means an attacker can only cause damage in rare cases. It's still recommended to update or at least apply mitigations to the problem (by setting zfs_dmu_offset_next_sync to 0 on bookworm) to avoid potential data loss. Thanks, Aron