Hi security-team,
Not sure why but in an automatic update of data/CVE/list,
CVE-2018-12326 was marked as being fixed in DSA-4230-1. However, this
only fixes CVE-2018-11218 & CVE-2018-11219.
As I understand it, this therefore means we need to do the following:
a) Release 3:3.2.6-3+deb9u2 with the additional change for
CVE-2018-12326?
b) Update the CVE list manually?
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1461,7 +1461,6 @@ CVE-2018-12327 (Stack-based buffer overflow in ntpq
and ntpdc of NTP version 4.2
NOTE:
https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f
NOTE: Negligible security impact
CVE-2018-12326 (Buffer overflow in redis-cli of Redis before 4.0.10 and
5.x before 5.0 ...)
- {DSA-4230-1}
- redis 5:4.0.10-1 (bug #902410)
NOTE:
https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0
NOTE:
https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50
c) ... & ensure that this doesn't clobber the 3:3.2.6-3+deb9u2 upload in
stretch-proposed-updates (what happens in this case out of
interest?)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
