Hi Anibal, On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote: > cpio (2.14+dfsg-1) unstable; urgency=medium > . > * New upstream release > Closes: #1049402 > Noteworthy changes in this release: > - New option --ignore-dirnlink > Valid in copy-out mode, it instructs cpio to ignore the actual number > of links reported for each directory member and always store 2 > instead. > - Changes in --reproducible option > The --reproducible option implies --ignore-dirlink. In other words, > it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes. > - Use GNU ls algorithm for deciding timestamp format in -tv mode > - Bugfixes > - Fix cpio header verification. > - Fix handling of device numbers on copy out. > - Fix calculation of CRC in copy-out mode. > - Rewrite the fix for CVE-2015-1197. > - Fix combination of --create --append --directory. > - Fix appending to archives bigger than 2G. > * Update uploaders list > Closes: #925021 > * Standards-Version: 4.6.2 > * Fix Path traversal vulnerability due to partial revert of fix for > CVE-2015-1197 > Closes: #1059163
Thanks for this upload to unstable. Can you check if the upstream redone changes for CVE-2015-1197 are backportable, and if so can you address the issue in the upcoming point releases for bookworm and bullseye? Regards, Salvatore