Hi Steve, On Wed, Nov 06, 2019 at 10:10:23AM -0800, Steve Langasek wrote: > Hello, > > On Sat, Nov 02, 2019 at 08:59:25PM +0100, Salvatore Bonaccorso wrote: > > Source: freetds > > Version: 1.1.6-1 > > Severity: important > > Tags: security upstream fixed-upstream > > Control: found -1 1.00.104-1 > > > The following vulnerability was published for freetds. > > > CVE-2019-13508[0]: > > | FreeTDS through 1.1.11 has a Buffer Overflow. > > Where does this "1.1.11" number come from? I do not see any releases newer > than 1.1.6 upstream.
The CVE assignment was acknowledged by upstream in the launchpad bug 1835896. MITRE descriptions in any case should not be trusted 1-1 and in this case it even was very mimimalistic. In any case the fix is the upstream commit 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac in the git repository on github. But I notice on https://www.freetds.org/software.html that the current stable version should be 1.1.20 and the respective commits there while they are on the master branch the releases seem not tagged. Does this helps? Regards, Salvatore
