On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote: > On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > <j...@inutil.org> wrote: > > Source: clojure > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for clojure. > > > > CVE-2024-22871[0]: > > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an > > | attacker to cause a denial of service (DoS) via the > > | clojure.core$partial$fn__5920 function. > > > > https://github.com/advisories/GHSA-vr64-r9qj-h27f > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 > > https://www.cve.org/CVERecord?id=CVE-2024-22871 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Thanks for the report. Maybe I'm reading this wrong, but the Debian archive > has clojure 1.10 (oldstable) and 1.11 (stable and up). > > The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why > we are affected by this CVE?
The CVE descriptions are often bogus, see the upstream I advisory I listed: | The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8. Cheers, Moritz