Hi, On Wed, Mar 29, 2023 at 11:43:05PM +0200, Moritz Mühlenhoff wrote: > Am Tue, Mar 28, 2023 at 09:29:57PM +0200 schrieb Salvatore Bonaccorso: > > Hi László, > > > > On Sun, Mar 26, 2023 at 04:13:01PM +0200, László Böszörményi wrote: > > > Hi, > > > > > > On Fri, Mar 17, 2023 at 7:54 PM László Böszörményi (GCS) > > > <g...@debian.org> wrote: > > > > On Thu, Mar 16, 2023 at 11:15 PM Moritz Mühlenhoff <j...@inutil.org> > > > > wrote: > > > > > Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff: > > > > > > CVE-2019-11939: > > > > > > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 > > > > > is this fixed in Bookworm? > > > > I let the Security Team decide how this should be treated. I will try > > > > to describe it in full and short. > > > Friendly ping, how the Security Team sees this issue. I've provided > > > insights [1] and tend to think it's safe for Bullseye and later. > > Sorry for the late reply, currently mostly offline. > > > Strictly speaking if the code base diverged, CVE-2019-11939 would be > > for facebook's fbthrift only. If Apache thrift has a similar issue, > > which is my understanding of the THRIFT-5322 then it would need a own > > CVE, which does not seem to exist (In some cases a CVE might be used > > by multiple projects even if the code base is not the same). > > > > I'm leaning to mark CVE-2019-11939 as NFU for facebook fbthrift > > specifically, and let alone the Apache Thrift issues for similar case. > > Given the issue would be no-dsa for bullseye and fixed in bookworm I > > would not do anything particular unless a CVE get assigned. > > > > Moritz, do you agree? > > I agree, let's mark it as NFU: Facebook fbthrift and not track Apache > Thrift/src:thrift specifically here.
Updated the tracking information accordingly. Regards, Salvatore
