Hi Anibal, On Fri, Dec 22, 2023 at 08:46:19PM +1100, Anibal Monsalve Salazar wrote: > On Fri, 2023-12-22 08:42:46 +0100, Salvatore Bonaccorso wrote: > > Hi Anibal, > > > > On Fri, Dec 22, 2023 at 06:21:04AM +0000, Debian Bug Tracking System wrote: > > > cpio (2.14+dfsg-1) unstable; urgency=medium > > > . > > > * New upstream release > > > Closes: #1049402 > > > Noteworthy changes in this release: > > > - New option --ignore-dirnlink > > > Valid in copy-out mode, it instructs cpio to ignore the actual > > > number > > > of links reported for each directory member and always store 2 > > > instead. > > > - Changes in --reproducible option > > > The --reproducible option implies --ignore-dirlink. In other > > > words, > > > it is equivalent to --ignore-devno --ignore-dirnlink > > > --renumber-inodes. > > > - Use GNU ls algorithm for deciding timestamp format in -tv mode > > > - Bugfixes > > > - Fix cpio header verification. > > > - Fix handling of device numbers on copy out. > > > - Fix calculation of CRC in copy-out mode. > > > - Rewrite the fix for CVE-2015-1197. > > > - Fix combination of --create --append --directory. > > > - Fix appending to archives bigger than 2G. > > > * Update uploaders list > > > Closes: #925021 > > > * Standards-Version: 4.6.2 > > > * Fix Path traversal vulnerability due to partial revert of fix for > > > CVE-2015-1197 > > > Closes: #1059163 > > > > Thanks for this upload to unstable. Can you check if the upstream > > redone changes for CVE-2015-1197 are backportable, and if so can you > > address the issue in the upcoming point releases for bookworm and > > bullseye? > > > > Regards, > > Salvatore > > Sure. > > The commit in question is at: > > https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=376d663340a9dc91c91a5849e5713f07571c1628
Great, thanks a lot. I have added the above as well for reference in the security-tracker. Regards, Salvatore