On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote:
> On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
> <j...@inutil.org> wrote:
> > Source: clojure
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for clojure.
> >
> > CVE-2024-22871[0]:
> > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an
> > | attacker to cause a denial of service (DoS) via the
> > | clojure.core$partial$fn__5920 function.
> >
> > https://github.com/advisories/GHSA-vr64-r9qj-h27f
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871
> > https://www.cve.org/CVERecord?id=CVE-2024-22871
> >
> > Please adjust the affected versions in the BTS as needed.
>
> Hi,
>
> Thanks for the report. Maybe I'm reading this wrong, but the Debian archive
> has clojure 1.10 (oldstable) and 1.11 (stable and up).
>
> The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why
> we are affected by this CVE?
The CVE descriptions are often bogus, see the upstream I advisory I listed:
| The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure
1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8.
Cheers,
Moritz
