Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fdroidser...@packages.debian.org, Hans-Christoph Steiner <h...@eds.org> Control: affects -1 + src:fdroidserver User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] There was a security problem reported against fdroidserver: https://www.openwall.com/lists/oss-security/2024/04/08/8 [ Impact ] Stable users of fdroidserver running their own repo could be tricked into providing wrongly signed files. [ Tests ] Manual test on F-Droid internal datasets as well as automated tests inside fdroidserver. [ Risks ] Low, the relevant code is only used to extract and verify signatures. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] The patch reorders the code as well as changes the code of the imported androguard library. [ Other info ] Upstream is still working on a long term fix that will be uploaded to unstable later. I agreed with upstream to use use the patch provided in the mail on oss-security already now.