Control: retitle -1 atftpd: CVE-2021-46671: Potential information leak in atftpd<0.7.5
Hi Andreas, On Fri, Feb 04, 2022 at 07:40:49PM +0100, Andreas B. Mundt wrote: > Control: patch -1 > > > Hi, > > many thanks for the report and the information provided! > > > * What led up to the situation? > > During a research project we have found a potential information leak > > in the atftpd daemon from package atftpd, where malformed requests can > > lead to a (partial) leak of the contents of /etc/group. > > > […] > > > It appears that this bug has been fixed upstream (commit > > 9cf799c40738722001552618518279e9f0ef62e5), and the fix is already > > included in atftpd version 0.7.git20210915-3 in debian testing). > > Yet we were able to reproduce this behavior on debian stable/bullseye > > (atftpd version 0.7.git20120829-3.3+deb11u1) and debian oldstable/buster > > (atftpd version 0.7.git20120829-3.2~deb10u2). > > I've prepared packages with the cherry-picked patch for > bullseye (0.7.git20120829-3.3+deb11u2) and > buster (0.7.git20120829-3.2~deb10u3). > Nothing has been uploaded yet to coordinate with the security team first, > debdiff attached. The issue has been assigned CVE-2021-46671. Andreas, unless I miss something crucial, I think this issue can be fixed in the upcoming point releases and does not require a DSA. Regards, Salvatore
