Hi
On Sat, May 10, 2025 at 08:48:56AM +0200, Tobias Frost wrote:
Hi,
After fixing CVE-2025-27773 (#1100595) for LTS I was taking a look
to tackle unstable as well (as step toward fixing stable9.
While doing this I noticed that the changelog entry for 1.19.7-1+deb12u1
only mentions CVE-2024-52596 but not CVE-2024-52806, and there is also
only a patch named CVE-2024-52596 [1] but no sign of a fix for CVE-2024- 52806, so I believe the latter has not been fixed with 1.19.7-1+deb12u1, despite security tracker saying so.
Possibly I've missed something, so I'd appreciate if someone could
verify my findings.
[1] the patch content matches the upstream patch mentioned in the
security tracker,
I believe it is all correct. Back then when Thijs prepared the update
only one CVE was known, and in fact the patch name was named with the
wrong CVE id. The followup to the tracker explained that:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13291705050fb81832690a56cbbd84345996f691
I.e. CVE-2024-52806 is fixed by
https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7
and for CVE-2024-52724 the "fix" is actually
https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5
but considered sufficiently fixed with the dropping of LIBXML_DTDLOAD
| LIBXML_DTDATTR options from $options as explained in the notes.
I asked this back in December 2024 to Thijs.
I.e. do not change the state for the entries for what was fixed with
Thijs' DSA.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)