Bug#1071746: clojure: CVE-2024-22871
On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote: > On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > wrote: > > Source: clojure > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for clojure. > > > > CVE-2024-22871[0]: > > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an > > | attacker to cause a denial of service (DoS) via the > > | clojure.core$partial$fn__5920 function. > > > > https://github.com/advisories/GHSA-vr64-r9qj-h27f > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 > > https://www.cve.org/CVERecord?id=CVE-2024-22871 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Thanks for the report. Maybe I'm reading this wrong, but the Debian archive > has clojure 1.10 (oldstable) and 1.11 (stable and up). > > The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why > we are affected by this CVE? The CVE descriptions are often bogus, see the upstream I advisory I listed: | The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8. Cheers, Moritz
Bug#1071746: clojure: CVE-2024-22871
On 2024-05-24 11:42, Louis-Philippe Véronneau wrote: On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= wrote: Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.core$partial$fn__5920 function. https://github.com/advisories/GHSA-vr64-r9qj-h27f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 Please adjust the affected versions in the BTS as needed. Hi, Thanks for the report. Maybe I'm reading this wrong, but the Debian archive has clojure 1.10 (oldstable) and 1.11 (stable and up). The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why we are affected by this CVE? Cheers, Well, I guess there's a typo and it's "1.2.0 to 1.12.0-alpha5" (which would make way more sense, as there is no such thing as clojure 1.20). -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org ⠈⠳⣄
Bug#1071746: clojure: CVE-2024-22871
On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= wrote: Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.core$partial$fn__5920 function. https://github.com/advisories/GHSA-vr64-r9qj-h27f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 Please adjust the affected versions in the BTS as needed. Hi, Thanks for the report. Maybe I'm reading this wrong, but the Debian archive has clojure 1.10 (oldstable) and 1.11 (stable and up). The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why we are affected by this CVE? Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org ⠈⠳⣄
Bug#1071746: clojure: CVE-2024-22871
Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.core$partial$fn__5920 function. https://github.com/advisories/GHSA-vr64-r9qj-h27f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 Please adjust the affected versions in the BTS as needed.
