Hi Brian, On Mon, Apr 10, 2023 at 02:54:42PM +0200, Salvatore Bonaccorso wrote: > On Sat, Apr 08, 2023 at 01:44:33PM +0200, Salvatore Bonaccorso wrote: > > Hi Brian, > > > > On Sat, Apr 08, 2023 at 07:56:55PM +1000, Brian May wrote: > > > Salvatore Bonaccorso <car...@debian.org> writes: > > > > > > > Version: 7.8.git20221117.28daf24+dfsg-1.1 > > > > > > Are you sure this applies to the unstable version? > > > > > > I can only find one out of two chunks in the patch. Maybe it was already > > > fixed in the stable branch which we use for unstable? > > > > I *was* almost sure this was only fixed in the master branch of > > Heimdal and was not in 7.7.0 as well, and 7.8 does not seem to have > > the change applied as well. > > > > But I will double-check again. > > > > https://www.kb.cert.org/vuls/id/730793 contains some more information > > and some distributions like Ubuntu did cherry pick the fix as well in > > their respective 7.7.0 and 7.5.0 based versions. > > Here is what ubuntu has backported for the older series, for 7.7.0 > https://launchpadlibrarian.net/628258298/heimdal_7.7.0+dfsg-1ubuntu1_7.7.0+dfsg-1ubuntu1.1.diff.gz > and for 7.5.0 it is included in > https://launchpadlibrarian.net/628240960/heimdal_7.5.0+dfsg-1_7.5.0+dfsg-1ubuntu0.1.diff.gz > and the change for spnego/accept_sec_context.c still applies to the > version in unstable. > > The upstream code was refactored in master branch of upstream project, > but the underlying issue seems what is touched there. > > Unfortunately I have no further information available on the heimdal > issue, still it might be worth getting this fixed via unstable in > bookworm. > > Let me know what you think, Brian.
I made the following change to the security-tracker metadata: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99013142d2f81b3c821be4c6683e7157615977e2 The reason behind that is I think we should consider CVE-2022-3116 and CVE-2021-44758 different issues, I'm not completely sure, but CVE-2021-44758 was analogeous dealing with the code. Regards, Salvatore
