Hi Anuradha, [disclaimer: not a member of the release team, so not an authoritative reply]
On Mon, Jul 13, 2020 at 06:56:27PM -0400, Anuradha Weeraman wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: anura...@debian.org, car...@debian.org > > [ Reason ] > Summary of the issue: In ksh version 20120801, a flaw was found in the > way it evaluates certain environment variables. An attacker could use > this flaw to override or bypass environment restrictions to execute > shell commands. > > [ Impact ] > Services and applications that allow remote unauthenticated > attackers to provide one of those environment variables could allow them > to exploit this issue remotely, although the risk is deemed low. > > [ Tests ] > There is a test included in the diff that was used to validate the > fix. Also, the regression test suite was run to make sure there were > no regressions. > > [ Risks ] > The regression test suite has been run before and after the patch to > confirm no new regressions. Also, the fix is applied in unstable with no > new issues reported. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > * Patch to arith.c that fixes the CVE > * Test case for the fix > > [ Other info ] > This was brought up to the security team first, and it was deemed that a > DSA is not required by Salvatore Bonaccorso. Small change is needed in the debdiff: > diff -Nru ksh-93u+20120801/debian/changelog ksh-93u+20120801/debian/changelog > --- ksh-93u+20120801/debian/changelog 2018-12-14 02:26:58.000000000 -0500 > +++ ksh-93u+20120801/debian/changelog 2020-07-12 11:26:07.000000000 -0400 > @@ -1,3 +1,15 @@ > +ksh (93u+20120801-4+deb10u1) buster-security; urgency=high The target distribution would need to be 'buster' in this case of the upload for the point release. Thanks for your work on this update, Regards, Salvatore