On Wed, Sep 06, 2023 at 08:11:17PM +0200, Bernd Zeimetz wrote: > Hi security team, > > I'm preparing security uploads for bookworm-security and buster-security > for > > > CVE-2023-20900[0]: > > | VMware Tools contains a SAML token signature bypass vulnerability. A > > | malicious actor with man-in-the-middle (MITM) network positioning > > | between vCenter server and the virtual machine may be able to bypass > > | SAML token signature verification, to perform VMware Tools Guest > > | Operations. > > > > any objections against fixing CVE-2023-20867 at the same time? > Its a minor issue so we did not fix it, but I think it doesn't hurt > to include it in stable/oldstable uploads while we are at it.
Ack, that's perfectly fine! > Current (untested) diff would be: > > https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/-/commit/3812674370c07c708744c0d1d497583dffa3d665 I'll have a look tomorrow. Cheers, Moritz
