On 2024-05-24 11:42, Louis-Philippe Véronneau wrote:
On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<j...@inutil.org> wrote:
Source: clojure
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for clojure.
CVE-2024-22871[0]:
| An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an
| attacker to cause a denial of service (DoS) via the
| clojure.core$partial$fn__5920 function.
https://github.com/advisories/GHSA-vr64-r9qj-h27f
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-22871
https://www.cve.org/CVERecord?id=CVE-2024-22871
Please adjust the affected versions in the BTS as needed.
Hi,
Thanks for the report. Maybe I'm reading this wrong, but the Debian
archive has clojure 1.10 (oldstable) and 1.11 (stable and up).
The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm
why we are affected by this CVE?
Cheers,
Well, I guess there's a typo and it's "1.2.0 to 1.12.0-alpha5" (which
would make way more sense, as there is no such thing as clojure 1.20).
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org
⠈⠳⣄
